iPhone Users Urged to Update WhatsApp After Serious Security Flaws Exposed

Apple iPhone owners who rely on WhatsApp for daily communication are being strongly advised to update the app without delay after the discovery of a pair of critical vulnerabilities that may have allowed cyber attackers to infiltrate devices and steal sensitive personal data. The disclosure comes directly from WhatsApp, a subsidiary of Meta, which confirmed that these flaws were patched only recently but had already been linked to what experts describe as a sophisticated spyware campaign targeting iPhone users.

In its August security advisory, WhatsApp highlighted two high-risk vulnerabilities, the most serious being tracked as CVE-2025-55177. This bug, affecting WhatsApp for iOS prior to version 2.25.21.73, WhatsApp Business for iOS prior to 2.25.21.78, and WhatsApp for Mac prior to 2.25.21.78, left the door open for unauthorized individuals to manipulate linked device synchronization messages. In practice, this meant that attackers could trick a victim’s iPhone into processing content from a malicious URL without the user ever realizing it. Combined with a separate flaw at the operating system level on Apple platforms (CVE-2025-43300), the vulnerability could be chained into a dangerous attack capable of compromising the device and the wealth of data it contained.

What is especially concerning is WhatsApp’s admission that the exploit might not have remained theoretical. Instead, experts believe attackers have already taken advantage of this vulnerability combination in the wild, delivering spyware capable of infiltrating targeted iPhones. According to Donncha Ó Cearbhaill from Amnesty International’s Security Lab, who has been monitoring the situation, this amounted to an “advanced spyware campaign” that has been operational since May. Ó Cearbhaill described the method as a zero-click attack – meaning it required no action from the victim. Unlike phishing attempts that depend on tricking users into clicking malicious links, zero-click exploits trigger automatically, silently compromising the device.

The implications of such an attack are enormous. Once triggered, the spyware could harvest messages, photos, and confidential files stored on the iPhone. For journalists, activists, and business executives, the risks extend to exposure of contacts, communications, and sensitive work data. Amnesty’s analysis suggests that the campaign was highly selective, targeting specific individuals rather than the general public, which is typical of spyware operations tied to surveillance rather than financial gain.

Although WhatsApp initially suggested the issue was restricted to iOS and macOS, reports have emerged indicating that Android devices may not be completely safe either. Out of caution, Android users are also being told to install the most recent version of WhatsApp from the Google Play Store to ensure their devices are not left vulnerable.

For iPhone owners, the recommended course of action goes beyond just updating the app. WhatsApp and Meta have advised that in some cases, a full factory reset may be necessary to completely clear any hidden malware traces. While disruptive, resetting ensures that any spyware deeply embedded within the system is eradicated. Users are also urged to make sure their iPhones are running the latest version of iOS, as Apple regularly closes off system-level vulnerabilities that hackers try to exploit. Those affected should update WhatsApp to at least version 2.25.21.73 on iOS or 2.25.21.78 on Mac to remain protected.

Ó Cearbhaill has further recommended enabling Apple’s Lockdown Mode, an extreme security feature introduced in recent iOS releases that hardens the device against complex cyberattacks, including zero-click exploits. Android users, meanwhile, can benefit from enabling Advanced Protection Mode, which similarly reduces the attack surface available to intruders. Both measures come with usability trade-offs but provide valuable defense in high-risk scenarios.

Meta spokesperson Margarita Franklin noted that the flaw was quietly patched just a few weeks earlier, and only a small number of users – fewer than 200 worldwide – were directly notified by WhatsApp of possible compromise. These notifications included language that highlighted the potential risks: “A malicious message may have been sent to you through WhatsApp and combined with other vulnerabilities in your device’s operating system to compromise your device and the data it contains.” While WhatsApp cannot confirm with absolute certainty that each notified phone was hacked, the company emphasized the importance of taking immediate action.

This is not the first time WhatsApp has had to deal with targeted spyware campaigns. Earlier this year, the platform uncovered and disrupted a malicious operation that had targeted 90 individuals, including journalists and members of Italian civil society. These repeated discoveries illustrate how messaging apps have become central battlegrounds for surveillance and cyberwarfare. Because WhatsApp is one of the most widely used platforms globally – with more than two billion users – it represents an attractive target for attackers seeking scale, reach, and access to private conversations.

For Apple users, this incident serves as a stark reminder that iPhones, often marketed as highly secure, are not invulnerable. Despite Apple’s walled-garden approach and frequent updates, vulnerabilities can and do occur, particularly when combined with flaws in third-party apps like WhatsApp. Security experts caution that as cyber attackers grow more advanced, users must not rely solely on manufacturer reputation. Instead, keeping devices updated, enabling protective modes, and treating unusual device behavior as a red flag are essential practices.

As for the broader context, the rise of zero-click exploits has transformed the cybersecurity landscape. Unlike traditional malware, which requires user mistakes, these sophisticated campaigns prey on invisible flaws in both apps and operating systems. Once inside, they can remain hidden for months, gathering intelligence quietly. This is why both WhatsApp and Apple continue to invest heavily in security research and why experts like Ó Cearbhaill stress vigilance for anyone at risk of being a surveillance target.

WhatsApp, which Facebook (now Meta) acquired back in 2014 for over $21 billion, remains under constant scrutiny given its central role in private communications worldwide. With this latest security scare, the message is clear: users should not delay updates. By acting quickly, installing patches, and adopting stronger device protections, iPhone and Android owners alike can significantly reduce the risk of falling victim to these increasingly stealthy cyberattacks.