WhatsApp Patched Zero-Click Flaw Exploited in Paragon Spyware Attacks

1️⃣ Paragon spyware exploited WhatsApp’s zero-click flaw to target users globally.
2️⃣ The flaw was a heap-based buffer overflow in WhatsApp’s RTP component.
3️⃣ WhatsApp patched the vulnerability in October 2024 after it was discovered.
4️⃣ There is no publicly available CVE specifically linked to this WhatsApp zero-click vulnerability.

No time to read? We’ve got you covered! Listen to the article:

Earlier this year, Reuters revealed that Paragon spyware had cybersecurity experts raising alarms over its chilling ability to infiltrate devices without a single click. Paragon, an Israeli surveillance tech company, was accused of targeting scores of users worldwide with its powerful spyware. What makes Paragon’s tool so dangerous is its zero-click nature—meaning it doesn’t need you to tap, click, or even open anything to infect your device. Once in, it can harvest data like messages, calls, location, and pretty much anything else stored on your phone. According to reports, Paragon’s clients include law enforcement and intelligence agencies from around the world, raising major privacy concerns. Reuters reported the discovery of this threat in late January 2025, adding another name to the growing list of Israeli spyware companies involved in surveillance scandals.

Fast forward to March 2025, and BleepingComputer reported that WhatsApp had officially confirmed patching a zero-click vulnerability allegedly exploited by Paragon. This flaw was identified as a heap-based buffer overflow bug within WhatsApp’s Real-Time Transport Protocol (RTP) component. For non-tech folks, think of it like a hidden gap in the app’s system that attackers could exploit—without you ever knowing. A specially crafted video call sent over WhatsApp could have been enough to compromise a device, even without the user answering.

The attack vector made it the perfect tool for spying, especially since it left zero trace of interaction. WhatsApp acted quickly, rolling out patches in October 2024 with updates v2.23.20.76 for Android and v23.20.78 for iOS. If you’ve been ignoring app updates, now’s the time to double-check—seriously.

What’s even scarier? Reports suggest Paragon’s spyware, called Chronos, can bypass encrypted messaging protections, capturing content before it gets encrypted. That means even WhatsApp’s famed end-to-end encryption couldn’t save you once the malware is on your phone.

Meta stressed that there’s no evidence of mass exploitation, but targeted users—likely journalists, activists, and high-profile individuals—were compromised. Once again, this incident raises eyebrows about the spyware industry and the need for global regulation.

Bottom line—update your apps regularly and stay informed. Cyber threats like these aren’t going away anytime soon, but awareness is your first line of defense.

Update: As of the writing of this report, there is no publicly available CVE specifically linked to this WhatsApp zero-click vulnerability. This suggests that while WhatsApp addressed the security flaw, it may not have been assigned a CVE ID, or the details have not been publicly disclosed.

Credit to @attritionorg for their diligence in helping us verify and clarify the facts in this report.