WhatsApp Patches Zero-Click Vulnerability Exploited by Spyware

WhatsApp has patched a zero-click, zero-day vulnerability that was exploited to install Paragon’s Graphite spyware following reports from security researchers at the University of Toronto’s Citizen Lab.

The company addressed the attack vector late last year without requiring a client-side fix and decided against assigning a CVE-ID after reviewing MITRE guidelines and internal policies.

A WhatsApp spokesperson confirmed that the spyware targeted journalists and civil society members, and affected users were notified directly. After mitigating the exploit on January 31, WhatsApp informed around 90 Android users across two dozen countries, including Italian journalists and activists, about the attack.

The spyware was deployed through a PDF sent in a WhatsApp group, which automatically processed the file, exploiting the now-patched vulnerability to load the Graphite spyware implant. Once installed, the spyware escaped the Android sandbox, compromising other apps and granting attackers access to victims’ private communications.

Researchers identified forensic artifacts, including a signature named BIGPRETZEL, which can be used to detect infections. However, evidence of infection may be overwritten or missing due to the sporadic nature of Android logs. Citizen Lab also mapped Paragon’s infrastructure, uncovering links to multiple government customers in Australia, Canada, Denmark, and Israel. By analyzing a single server, researchers identified 150 digital certificates tied to dozens of IP addresses associated with the spyware’s command and control network.

Paragon Solutions, the Israeli spyware company behind Graphite, was founded in 2019 by former Israeli Prime Minister Ehud Barak and former Unit 8200 commander Ehud Schneorson. Florida-based AE Industrial Partners acquired the company in December 2024. Unlike NSO Group, Paragon claims to sell its surveillance tools exclusively to democratic governments for law enforcement purposes. Reports indicate that the U.S. Drug Enforcement Administration (DEA) used Graphite in 2022, and in 2024, Paragon secured a $2 million contract with U.S. Immigration and Customs Enforcement (ICE).