WhatsApp Fixes Zero-Day Flaw Exploited by Paragon Graphite Spyware
WhatsApp addresses a critical zero-click, zero-day vulnerability used to deploy Paragon's Graphite spyware, targeting journalists and civil society members.
TL;DR
WhatsApp has patched a zero-day vulnerability that was exploited to install Paragon’s Graphite spyware on targeted devices. The campaign, discovered by Meta and Citizen Lab, targeted journalists and civil society members, highlighting the urgent need for enhanced cybersecurity measures.
WhatsApp Patches Critical Zero-Day Vulnerability
WhatsApp has addressed a zero-click, zero-day vulnerability that was exploited to install Paragon’s Graphite spyware on the devices of targeted individuals1. This patch comes after a comprehensive investigation by Meta and Citizen Lab, which uncovered a sophisticated spyware campaign targeting journalists and civil society members.
Details of the Spyware Campaign
The spyware campaign, orchestrated by Paragon, was disrupted in December 2024. WhatsApp confirmed that the issue was resolved without requiring a client-side update, and no CVE-ID was assigned1. The campaign targeted approximately 90 users, who were immediately alerted by WhatsApp about the potential compromise of their devices1.
Meta linked the campaign to Paragon, an Israeli commercial surveillance vendor acquired by AE Industrial Partners for $900 million in December 20242. The exploit used a “zero-click” method, meaning it could compromise target devices without any user interaction1.
WhatsApp’s Response and Legal Actions
WhatsApp sent a “cease and desist” letter to Paragon and is exploring legal action against the company. A WhatsApp spokesperson emphasized the importance of holding spyware companies accountable for their unlawful actions, stating, “WhatsApp has disrupted a spyware campaign by Paragon that targeted a number of users including journalists and members of civil society. We’ve reached out directly to people who we believe were affected. This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately”3.
Citizen Lab’s Role in the Investigation
Citizen Lab, a research group from the University of Toronto, played a crucial role in analyzing the attacks and sharing their findings with WhatsApp. Their report highlighted that a specially crafted PDF file was used as bait, sent to target users after they were added to group chats4. Citizen Lab’s analysis was pivotal in Meta’s ongoing investigation into Paragon4.
Global Implications and Further Investigations
Citizen Lab mapped Paragon Solutions’ spyware infrastructure, identifying its tool “Graphite” through digital fingerprints and certificates. The infrastructure was linked to IP addresses hosted at local telecoms, suggesting government customers. A misconfigured digital certificate further confirmed the connection, strengthening the evidence of Paragon’s global spyware operations5.
The report by Citizen Lab suggests that Australia, Canada, Cyprus, Denmark, Israel, and Singapore may be clients of Israeli spyware maker Paragon Solutions5.
Conclusion
The discovery and mitigation of the Paragon spyware campaign underscore the ongoing threat of surveillance technologies. As WhatsApp continues to enhance its security measures, the incident serves as a reminder of the critical need for vigilance and proactive cybersecurity strategies to protect users’ privacy and security.
Additional Resources
For further insights, check:
References
-
(2025). “WhatsApp patched zero-day flaw used in Paragon spyware attacks”. Bleeping Computer. Retrieved 2025-03-20. ↩︎ ↩︎2 ↩︎3 ↩︎4
-
(2024). “Israeli spyware maker Paragon bought by U.S. private equity giant”. TechCrunch. Retrieved 2025-03-20. ↩︎
-
(2025). “WhatsApp Israel spyware”. The Guardian. Retrieved 2025-03-20. ↩︎
-
Scott-Railton, John. (2025). “A First Look at Paragon’s Proliferating Spyware Operations”. Citizen Lab. Retrieved 2025-03-20. ↩︎ ↩︎2
-
Citizen Lab. (2025). “A First Look at Paragon’s Proliferating Spyware Operations”. Citizen Lab. Retrieved 2025-03-20. ↩︎ ↩︎2