Application security

Zero-click attack hijacks WhatsApp accounts on iOS 16

WhatsApp Messenger displayed on mobile device

As reported by Security Affairs, a sophisticated zero-click attack has been targeting iPhones running iOS 16, allowing threat actors to hijack WhatsApp accounts without any user interaction, linked devices, or notifications, according to Italian digital forensics firm Forenser.

The attack exploits vulnerabilities in iOS 16, specifically CVE-2025-43300 within the ImageIO framework and potentially CVE-2025-55177, to gain unauthorized access to WhatsApp sessions. Attackers can extract cryptographic material to instantiate a new WhatsApp client, enabling them to send messages, often requesting money transfers, from the victim's account. This occurs without the victim's knowledge and without appearing in the "Linked Devices" section of the WhatsApp app. The continuous "resync" events observed in device logs indicate a session contention between the legitimate user and the attacker.

While traditional security measures are ineffective against zero-click exploits, updating iOS to the latest version is the primary mitigation. Users are also advised to lock their chats, update the WhatsApp app, or reinstall it. If a suspicious money request is received, users should call the contact directly rather than replying in the chat. This incident highlights the increasing sophistication of financially motivated cybercrime, leveraging zero-day exploits against a wide user base running unpatched operating systems.

Source: Security Affairs

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds