Hackers chained Apple and WhatsApp flaws in spyware campaign

A few days ago, Apple fixed a vulnerability on iOS and macOS that “may have been exploited in an extremely sophisticated attack against specific targeted individuals.” Now, new details have emerged, and it appears that the hacking campaign also leveraged a now-fixed WhatsApp flaw to target its victims. Here are the details.

As reported by TechCrunch, Meta has confirmed that it fixed a WhatsApp flaw (CVE-2025-55177) that, when used in combination with the flaw that Apple recently fixed on iOS and macOS (CVE-2025-43300), could “allow an attacker to deliver a malicious exploit” and steal user data.

The report came after Donncha Ó Cearbhaill, Head of Security Lab at Amnesty International posted on X about Meta contacting users who may have been targeted by the flaw.

Meta’s advisory reads:

Our investigation indicates that a malicious message may have been sent to you through WhatsApp and combined with other vulnerabilities in your device’s operating system to compromise your device and the data it contains, including messages.

While we don’t know with certainty that your device has been compromised, we wanted to let you know out of an abundance of caution so you can take steps to secure your device and information.

We’ve made changes to prevent this specific attack from occurring through WhatsApp. However, your device’s operating system could remain compromised by the malware or be targeted in other ways.

To best protect yourself, we recommend a full device factory reset. We also strongly urge you to keep your devices updated to the latest version of the operating system, and ensure that your WhatsApp app is up to date.

As TechCrunch noted, it is currently unclear exactly who was behind the attack, or how many people were affected, beyond Meta’s statement that it has sent “less than 200” notifications to potentially targeted individuals.

To be clear, both Apple and Meta have issued fixes for these vulnerabilities, so even if you are not a high-profile individual, it may be a good idea to make sure that your devices and apps are up to date.

Now that the details about the flaws have been made public, attacks looking to exploit outdated devices and apps are bound to increase.