WhatsApp Fixes Zero-Day Flaw Exploited by Paragon Graphite Spyware

TL;DR

WhatsApp has patched a zero-day vulnerability that was exploited to install Paragon’s Graphite spyware on targeted devices. The campaign, discovered by Meta and Citizen Lab, targeted journalists and civil society members, highlighting the urgent need for enhanced cybersecurity measures.

WhatsApp Patches Critical Zero-Day Vulnerability

WhatsApp has addressed a zero-click, zero-day vulnerability that was exploited to install Paragon’s Graphite spyware on the devices of targeted individuals¹. This patch comes after a comprehensive investigation by Meta and Citizen Lab, which uncovered a sophisticated spyware campaign targeting journalists and civil society members.

Details of the Spyware Campaign

The spyware campaign, orchestrated by Paragon, was disrupted in December 2024. WhatsApp confirmed that the issue was resolved without requiring a client-side update, and no CVE-ID was assigned¹. The campaign targeted approximately 90 users, who were immediately alerted by WhatsApp about the potential compromise of their devices¹.

Meta linked the campaign to Paragon, an Israeli commercial surveillance vendor acquired by AE Industrial Partners for $900 million in December 2024². The exploit used a “zero-click” method, meaning it could compromise target devices without any user interaction¹.

WhatsApp’s Response and Legal Actions

WhatsApp sent a “cease and desist” letter to Paragon and is exploring legal action against the company. A WhatsApp spokesperson emphasized the importance of holding spyware companies accountable for their unlawful actions, stating, “WhatsApp has disrupted a spyware campaign by Paragon that targeted a number of users including journalists and members of civil society. We’ve reached out directly to people who we believe were affected. This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately”³.

Citizen Lab’s Role in the Investigation

Citizen Lab, a research group from the University of Toronto, played a crucial role in analyzing the attacks and sharing their findings with WhatsApp. Their report highlighted that a specially crafted PDF file was used as bait, sent to target users after they were added to group chats⁴. Citizen Lab’s analysis was pivotal in Meta’s ongoing investigation into Paragon⁴.

Global Implications and Further Investigations

Citizen Lab mapped Paragon Solutions’ spyware infrastructure, identifying its tool “Graphite” through digital fingerprints and certificates. The infrastructure was linked to IP addresses hosted at local telecoms, suggesting government customers. A misconfigured digital certificate further confirmed the connection, strengthening the evidence of Paragon’s global spyware operations⁵.

The report by Citizen Lab suggests that Australia, Canada, Cyprus, Denmark, Israel, and Singapore may be clients of Israeli spyware maker Paragon Solutions⁵.

Conclusion

The discovery and mitigation of the Paragon spyware campaign underscore the ongoing threat of surveillance technologies. As WhatsApp continues to enhance its security measures, the incident serves as a reminder of the critical need for vigilance and proactive cybersecurity strategies to protect users’ privacy and security.

Additional Resources

For further insights, check:

• Bleeping Computer
• TechCrunch
• The Guardian

References

1. (2025). “WhatsApp patched zero-day flaw used in Paragon spyware attacks”. Bleeping Computer. Retrieved 2025-03-20. ↩︎ ↩︎² ↩︎³ ↩︎⁴

2. (2024). “Israeli spyware maker Paragon bought by U.S. private equity giant”. TechCrunch. Retrieved 2025-03-20. ↩︎

3. (2025). “WhatsApp Israel spyware”. The Guardian. Retrieved 2025-03-20. ↩︎

4. Scott-Railton, John. (2025). “A First Look at Paragon’s Proliferating Spyware Operations”. Citizen Lab. Retrieved 2025-03-20. ↩︎ ↩︎²

5. Citizen Lab. (2025). “A First Look at Paragon’s Proliferating Spyware Operations”. Citizen Lab. Retrieved 2025-03-20. ↩︎ ↩︎²