HomeCyber SecurityWhatsApp Patched Zero-Click Flaw Exploited in Paragon Spyware Attacks

WhatsApp Patched Zero-Click Flaw Exploited in Paragon Spyware Attacks

Date:

Related Posts

Deepfakes: The Scary, Funny, and Dangerous World of AI-Generated Fakes

Ever stumbled on a video of Elon Musk rapping or Obama saying things he’d never say? Chances are, you’ve witnessed a deepfake in action.

Fake ‘DeepSeek’ AI Installers Are Infecting Devices with Malware — Here’s What You Need to Know

If you’ve been hearing a lot about DeepSeek AI lately, you’re not alone. With all the hype surrounding this new AI tool—presented as a cheaper alternative to big names like OpenAI and Meta—it’s no surprise people are rushing to try it out.

Android Users Beware! Massive Ad Fraud Outsmarting Google Play Security – What You Need to Know

Bitdefender’s security researchers have uncovered a massive ad fraud campaign that slipped hundreds of malicious apps past Google Play Store’s defenses.

Social Media Posts Spotlight Gemini 2.0 Flash AI Model’s Watermark Removal Capability

Looks like Google’s Gemini 2.0 Flash AI has just stirred up a new controversy—people on X (formerly Twitter) have been showing off how it can wipe watermarks off images like they were never there.

China Imposes New AI-Generated Content Labeling Rules to Tackle Misinformation

China is making significant strides to address the growing concerns surrounding AI-generated content with new regulations designed to enhance transparency and curb misinformation.

1️⃣ Paragon spyware exploited WhatsApp’s zero-click flaw to target users globally.
2️⃣ The flaw was a heap-based buffer overflow in WhatsApp’s RTP component.
3️⃣ WhatsApp patched the vulnerability in October 2024 after it was discovered.
4️⃣ There is no publicly available CVE specifically linked to this WhatsApp zero-click vulnerability.


No time to read? We’ve got you covered! Listen to the article:

Earlier this year, Reuters revealed that Paragon spyware had cybersecurity experts raising alarms over its chilling ability to infiltrate devices without a single click. Paragon, an Israeli surveillance tech company, was accused of targeting scores of users worldwide with its powerful spyware. What makes Paragon’s tool so dangerous is its zero-click nature—meaning it doesn’t need you to tap, click, or even open anything to infect your device. Once in, it can harvest data like messages, calls, location, and pretty much anything else stored on your phone. According to reports, Paragon’s clients include law enforcement and intelligence agencies from around the world, raising major privacy concerns. Reuters reported the discovery of this threat in late January 2025, adding another name to the growing list of Israeli spyware companies involved in surveillance scandals.

Fast forward to March 2025, and BleepingComputer reported that WhatsApp had officially confirmed patching a zero-click vulnerability allegedly exploited by Paragon. This flaw was identified as a heap-based buffer overflow bug within WhatsApp’s Real-Time Transport Protocol (RTP) component. For non-tech folks, think of it like a hidden gap in the app’s system that attackers could exploit—without you ever knowing. A specially crafted video call sent over WhatsApp could have been enough to compromise a device, even without the user answering.

The attack vector made it the perfect tool for spying, especially since it left zero trace of interaction. WhatsApp acted quickly, rolling out patches in October 2024 with updates v2.23.20.76 for Android and v23.20.78 for iOS. If you’ve been ignoring app updates, now’s the time to double-check—seriously.

What’s even scarier? Reports suggest Paragon’s spyware, called Chronos, can bypass encrypted messaging protections, capturing content before it gets encrypted. That means even WhatsApp’s famed end-to-end encryption couldn’t save you once the malware is on your phone.

Meta stressed that there’s no evidence of mass exploitation, but targeted users—likely journalists, activists, and high-profile individuals—were compromised. Once again, this incident raises eyebrows about the spyware industry and the need for global regulation.

Bottom line—update your apps regularly and stay informed. Cyber threats like these aren’t going away anytime soon, but awareness is your first line of defense.

Update: As of the writing of this report, there is no publicly available CVE specifically linked to this WhatsApp zero-click vulnerability. This suggests that while WhatsApp addressed the security flaw, it may not have been assigned a CVE ID, or the details have not been publicly disclosed.

Credit to @attritionorg for their diligence in helping us verify and clarify the facts in this report.


Discover more from TECH HOTSPOT

Subscribe to get the latest posts sent to your email.

Virgel
Virgel
Virgel is an educator and writer with a passion for technology. With years of experience shaping young minds in the classroom, he also dedicates his spare time to editing and crafting short stories. Driven by his love for technology, Virgel stays up to date with the latest innovations, sharing his insights through articles and blogs. His work covers a wide range of topics, from AI and cybersecurity to in-depth industry advancements.

Latest Posts