WhatsApp fixes 'zero-click bug' on Apple devices: How to update your device

The flaw lets attackers compromise Apple devices without user interaction by chaining WhatsApp and iOS vulnerabilities. Less than 200 users were targeted, WhatsApp said

WhatsApp has released an update to patch a zero-click vulnerability that may have been exploited against a small group of targeted users on Apple devices. The flaw (CVE-2025-55177) was reportedly combined with an OS-level bug on Apple platforms, which Apple has since addressed. But what exactly is a “zero-click” bug, and how was it used in this case?

WhatsApp: What is a zero-click bug?

A zero-click bug is a type of software vulnerability that allows a hacker to install malware or gain access to a device without requiring any action from the user, such as clicking a link or opening an attachment. 

 

These “zero-click attacks” usually exploit weaknesses in apps, especially messaging and communication platforms, to bypass standard security protections. Since no user interaction is needed, the attack often goes unnoticed by both the victim and conventional security software. 

How do zero-click bugs work?

The mechanism of attack typically involves exploiting a ‘zero-day vulnerability’—an unpatched or unknown flaw in hardware or software. Malicious code is hidden inside a text message, an image, or even an email sent through a communication app. When the device automatically processes this data, the exploit is triggered, silently installing malware or opening a backdoor for remote access.

 

Because the user never has to interact with the malicious file, zero-click attacks are nearly invisible and extremely hard to detect or prevent using traditional security methods.

What happened in the WhatsApp-Apple case?

According to Donncha O Cearbhaill, who leads Amnesty International’s Security Lab, the attack was part of an “advanced spyware campaign” that has been active for roughly 90 days, starting in late May.

 

WhatsApp explained in its security update blog that the flaw in its app was combined with an OS-level vulnerability in Apple devices. Apple fixed the issue on August 20 with the release of iOS 18.6.2 and iPadOS 18.6.2. In its support page, the company noted:

   

“Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”

 

While Apple did not disclose which users were affected, WhatsApp spokesperson Margarita Franklin told TechCrunch that fewer than 200 individuals were notified about the attack.

What should users do?

As reported by 9to5Google, Meta informed affected users that it cannot confirm with certainty if their devices were compromised. However, it recommended performing a full factory reset of the device. The advisory also urged users to update to the latest OS version and ensure that WhatsApp is kept up to date.

 

For users who did not receive a notification, it is still recommended to update WhatsApp to the newest version and install the latest available updates on Apple devices to stay protected.