Meta disclosed a WhatsApp vulnerability that allows attackers to compromise devices by sending malicious files to group chats—no user interaction required. The zero-click exploit was actively used by Paragon Solutions, an Israeli spyware vendor, to target journalists and civil society members.
Incident overview
| Attribute | Details |
|---|
| Vulnerability type | Zero-click remote code execution |
| Attack vector | Malicious PDF in group chat |
| Spyware deployed | Graphite (Paragon Solutions) |
| Targets | ~90 individuals |
| Primary victims | Journalists, civil society, human rights groups |
| Geographic focus | Italy (confirmed), broader scope suspected |
| Discovery | University of Toronto Citizen Lab |
| Fix type | Server-side (no client update required) |
The attack chain
The vulnerability allows attackers to deliver malicious media files through WhatsApp group chats. Because WhatsApp automatically downloads media by default, the malicious payload reaches the victim’s device without any interaction.
| Phase | Action |
|---|
| 1 | Attacker identifies victim and one of their contacts |
| 2 | Attacker creates new WhatsApp group |
| 3 | Attacker adds victim and their contact to group |
| 4 | Attacker promotes contact to admin (legitimizing group appearance) |
| 5 | Attacker sends specially crafted PDF file |
| 6 | WhatsApp auto-downloads file to victim’s device |
| 7 | Graphite spyware executes without user interaction |
| 8 | Spyware escapes Android sandbox, compromises other apps |
Post-compromise capabilities
| Capability | Access level |
|---|
| Encrypted messages | Full access |
| Call logs | Full access |
| Microphone | Potential access |
| Camera | Potential access |
| Other apps | Via Android sandbox escape |
Paragon Solutions and Graphite spyware
Paragon Solutions is an Israeli surveillance technology company competing with NSO Group in the commercial spyware market.
Company background
| Attribute | Details |
|---|
| Founded | 2019 |
| Founders | Ehud Barak (former Israeli PM), Ehud Schneorson (ex-Unit 8200 commander) |
| Product | Graphite spyware |
| Market position | Competes with NSO Group’s Pegasus |
| Claimed policy | Sells only to democratic nations’ law enforcement/intelligence |
| Acquisition | December 2024, AE Industrial Partners ($500 million) |
Known government clients
Citizen Lab mapped Paragon’s server infrastructure and identified potential government customers:
| Country | Status |
|---|
| Australia | Potential client |
| Canada | Potential client |
| Cyprus | Potential client |
| Denmark | Potential client |
| Israel | Potential client |
| Singapore | Potential client |
US government use
| Agency | Status | Details |
|---|
| DEA | Confirmed (2022) | NY Times reported Graphite use |
| ICE | Confirmed (2024) | $2 million contract per Wired |
Confirmed victims
| Individual | Role | Organization |
|---|
| Francesco Cancellato | Journalist | Italian media |
| Luca Casarini | Founder | Mediterranea Saving Humans |
| Dr. Giuseppe Caccia | Founder | Mediterranea Saving Humans |
Forensic analysis confirmed Graphite spyware presence via the BIGPRETZEL forensic artifact unique to Paragon’s implant.
Targeting pattern
“In the cases already investigated, there is a troubling and familiar pattern of targeting human rights groups, government critics, and journalists.”
— Citizen Lab
CVE-2025-55177
A related vulnerability addressed as part of the same attack chain:
| Attribute | Details |
|---|
| CVE | CVE-2025-55177 |
| CVSS | 5.4 |
| Affected platforms | WhatsApp for iOS, WhatsApp for macOS |
| Type | Insufficient authorization of linked device synchronization messages |
Why group chats are effective attack vectors
| Factor | Exploitation |
|---|
| Automatic media download | Default WhatsApp behavior downloads files without confirmation |
| Trust inheritance | Groups containing known contacts appear legitimate |
| Reduced scrutiny | Users pay less attention to files in group contexts |
| Scalability | One malicious file can target multiple users simultaneously |
| Social engineering | Admin promotion makes group seem authentic |
Telegram founder Pavel Durov cited the flaw as evidence that “WhatsApp has multiple attack vectors,” though Telegram has faced its own security scrutiny.
WhatsApp’s response
| Action | Details |
|---|
| Server-side patch | Deployed late 2024 |
| User notification | Fewer than 200 potentially targeted users notified |
| No CVE assigned | WhatsApp chose not to request CVE-ID |
| Attack neutralization | December 2024 |
Why no client update?
WhatsApp addressed the vulnerability “without the need for a client-side fix”—the server-side patch eliminated the attack vector without requiring users to update their apps.
Ongoing improvements
| Initiative | Status |
|---|
| Enhanced protections for high-risk users | Rolling out (journalists, activists, public figures first) |
| Broader availability | Planned for later 2026 |
| Rust adoption | New security components written in Rust for memory safety |
Protection recommendations
For all WhatsApp users
| Priority | Action |
|---|
| High | Update WhatsApp to latest version |
| High | Disable automatic media downloads |
| Medium | Review group memberships regularly |
| Medium | Be suspicious of unexpected group additions |
Settings → Storage and Data → Media auto-download
Set all options to "No media"
For high-risk users (journalists, activists, executives)
| Protection | Implementation |
|---|
| WhatsApp advanced security | Enable when available |
| Silence Unknown Callers | Settings → Privacy → Calls |
| Group privacy controls | Settings → Privacy → Groups (limit who can add you) |
| iOS Lockdown Mode | Device-level protection |
| Android hardening | Disable USB debugging, use work profile |
Commercial spyware landscape
Major vendors
| Vendor | Product | Notable for |
|---|
| NSO Group | Pegasus | Most widely documented |
| Paragon Solutions | Graphite | This campaign |
| Candiru | DevilsTongue | Windows/macOS focus |
| QuaDream | REIGN | iOS zero-clicks |
| Intellexa | Predator | EU-based operations |
WhatsApp legal actions
| Year | Action | Target |
|---|
| 2019 | Lawsuit filed | NSO Group (Pegasus attacks) |
| 2024 | Court ruling | NSO liable for hacking |
| Ongoing | Monitoring | Multiple spyware vendors |
Detection and forensics
Indicators of compromise
| Artifact | Platform | Meaning |
|---|
| BIGPRETZEL | Android | Paragon Graphite confirmed |
| Unusual PDF processing | Both | Potential exploitation |
| Unexpected app permissions | Both | Possible sandbox escape |
What to do if targeted
| Step | Action |
|---|
| 1 | Don’t factory reset immediately (preserves forensic evidence) |
| 2 | Contact Citizen Lab or Amnesty Tech for analysis |
| 3 | Consider legal consultation |
| 4 | Document all suspicious activity |
| 5 | After forensic preservation, consider new device |
Recommendations
For individuals
| Priority | Action |
|---|
| Immediate | Update all messaging apps |
| High | Disable automatic media downloads |
| High | Review group memberships |
| Ongoing | Maintain operational security awareness |
For organizations with high-risk personnel
| Priority | Action |
|---|
| High | Implement mobile device management |
| High | Deploy device-level hardening (Lockdown Mode) |
| High | Establish incident response for spyware detection |
| Ongoing | Monitor threat intelligence on commercial spyware |
Context
Zero-click exploits represent the most dangerous class of mobile vulnerabilities because they require no user action. The commercial spyware industry—companies like NSO Group, Paragon, and Candiru—develops and sells these exploits to governments, who use them for surveillance of journalists, dissidents, and political opponents.
WhatsApp has previously sued NSO Group over Pegasus spyware attacks and won a significant legal victory in 2024. The Paragon campaign demonstrates that the cat-and-mouse game between messaging platforms and surveillance vendors continues.
For users in sensitive roles, assume that sophisticated attackers may have access to undisclosed zero-click exploits. Defense in depth—updated software, restricted permissions, device hardening, and operational security practices—remains the best protection.
