As reported by Security Affairs, a sophisticated zero-click attack has been targeting iPhones running iOS 16, allowing threat actors to hijack WhatsApp accounts without any user interaction, linked devices, or notifications, according to Italian digital forensics firm Forenser.The attack exploits vulnerabilities in iOS 16, specifically CVE-2025-43300 within the ImageIO framework and potentially CVE-2025-55177, to gain unauthorized access to WhatsApp sessions. Attackers can extract cryptographic material to instantiate a new WhatsApp client, enabling them to send messages, often requesting money transfers, from the victim's account. This occurs without the victim's knowledge and without appearing in the "Linked Devices" section of the WhatsApp app. The continuous "resync" events observed in device logs indicate a session contention between the legitimate user and the attacker.While traditional security measures are ineffective against zero-click exploits, updating iOS to the latest version is the primary mitigation. Users are also advised to lock their chats, update the WhatsApp app, or reinstall it. If a suspicious money request is received, users should call the contact directly rather than replying in the chat. This incident highlights the increasing sophistication of financially motivated cybercrime, leveraging zero-day exploits against a wide user base running unpatched operating systems.Source: Security Affairs
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds





