WhatsApp recently fixed a major security loophole that was being used to install spyware on users' devices. The issue, known as a zero-click, zero-day vulnerability, allowed hackers to access phones without the user needing to click on anything. Security experts from the University of Toronto’s Citizen Lab uncovered this attack and linked it to Paragon’s spyware, called Graphite.
The flaw was patched by WhatsApp in late 2023 without requiring users to update their app. The company also chose not to assign a CVE-ID to the vulnerability, as it did not meet specific reporting criteria.
A WhatsApp spokesperson confirmed that hackers used the flaw to target certain individuals, including journalists and activists. WhatsApp directly reached out to around 90 affected users across multiple countries.
How the Attack Worked
Hackers used WhatsApp groups to launch their attacks. They added their targets to a group and sent a malicious PDF file. As soon as the file reached the victim’s phone, the device automatically processed it. This triggered the exploit, allowing the spyware to install itself without any user action.
Once installed, the spyware could access sensitive data and private messages. It could also move beyond WhatsApp and infect other apps by bypassing Android’s security barriers. This gave attackers complete control over the victim’s device.
Who Was Targeted?
According to Citizen Lab, the attack mostly focused on individuals who challenge governments or advocate for human rights. Journalists, activists, and government critics were among the key targets. However, since only 90 people were officially notified by WhatsApp, experts believe the actual number of victims could be much higher.
Researchers found a way to detect the spyware by analyzing Android device logs. They identified a forensic marker, nicknamed "BIGPRETZEL," that appears on infected devices. However, spotting the spyware is still difficult because Android logs do not always capture all traces of an attack.
Spyware Linked to Government Agencies
Citizen Lab also investigated the infrastructure used to operate the spyware. Their research uncovered multiple servers connected to Paragon’s spyware, some of which were linked to government agencies in countries like Australia, Canada, Cyprus, Denmark, Israel, and Singapore. Many of these servers were rented through cloud platforms or hosted directly by government agencies.
Further investigation revealed that the spyware's digital certificates contained the name “Graphite” and references to installation servers. This raised concerns about whether Paragon's spyware operates similarly to Pegasus, another surveillance tool known for being used by governments to monitor individuals.
Who Is Behind Paragon Spyware?
Paragon Solutions Ltd., the company behind Graphite spyware, is based in Israel. It was founded in 2019 by Ehud Barak, Israel’s former Prime Minister, and Ehud Schneorson, a former commander of Unit 8200, an elite Israeli intelligence unit.
Paragon claims that it only sells its technology to democratic governments for use by law enforcement agencies. However, reports have shown that U.S. agencies, including the Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE), have purchased and used its spyware.
In December 2024, a U.S.-based investment firm, AE Industrial Partners, bought Paragon, further raising questions about its future operations and how its surveillance tools may be used.
Protecting Yourself from Spyware
While WhatsApp has fixed this specific security flaw, spyware threats continue to evolve. Users can take the following steps to protect themselves:
1. Update Your Apps: Always keep your apps updated, as companies frequently release security patches.
2. Be Cautious of Unknown Files: Never open suspicious PDFs, links, or attachments from unknown sources.
3. Enable Two-Factor Authentication: Adding an extra layer of security to your accounts makes it harder for hackers to break in.
4. Check Your Device Logs: If you suspect spyware, seek professional help to analyze your phone’s activity.
Spyware attacks are becoming more advanced, and staying informed is key to protecting your privacy. WhatsApp’s quick response to this attack highlights the ongoing battle against cyber threats and the need for stronger security measures.
New proposals in the French Parliament will mandate tech companies to give decrypted messages, email. If businesses don’t comply, heavy fines will be imposed.
France has proposed a law requiring end-to-end encryption messaging apps like WhatsApp and Signal, and encrypted email services like Proton Mail to give law enforcement agencies access to decrypted data on demand.
The move comes after France’s proposed “Narcotraffic” bill, asking tech companies to hand over encrypted chats of suspected criminals within 72 hours.
The law has stirred debates in the tech community and civil society groups because it may lead to building of “backdoors” in encrypted devices that can be abused by threat actors and state-sponsored criminals.
Individuals failing to comply will face fines of €1.5m and companies may lose up to 2% of their annual world turnover in case they are not able to hand over encrypted communications to the government.
Few experts believe it is not possible to bring backdoors into encrypted communications without weakening their security.
According to Computer Weekly’s report, Matthias Pfau, CEO of Tuta Mail, a German encrypted mail provider, said, “A backdoor for the good guys only is a dangerous illusion. Weakening encryption for law enforcement inevitably creates vulnerabilities that can – and will – be exploited by cyber criminals and hostile foreign actors. This law would not just target criminals, it would destroy security for everyone.”
Researchers stress that the French proposals aren’t technically sound without “fundamentally weakening the security of messaging and email services.” Similar to the “Online Safety Act” in the UK, the proposed French law exposes a serious misunderstanding of the practical achievements with end-to-end encrypted systems. Experts believe “there are no safe backdoors into encrypted services.”
The law will allow using infamous spywares such as NSO Group’s Pegasus or Pragon that will enable officials to remotely surveil devices. “Tuta Mail has warned that if the proposals are passed, it would put France in conflict with European Union laws, and German IT security laws, including the IT Security Act and Germany’s Telecommunications Act (TKG) which require companies to secure their customer’s data,” reports Computer Weekly.
WhatsApp has warned users about a highly advanced hacking attack that infected nearly 90 people across 24 countries. Unlike traditional cyberattacks that rely on tricking victims into clicking malicious links, this attack used zero-click spyware, meaning the targets were hacked without taking any action.
What Happened?
Hackers exploited a security vulnerability in WhatsApp to send malicious documents to the victims’ devices. These documents contained spyware that could take control of the phone without the user clicking or opening anything.
According to reports, the attack was linked to Paragon Solutions, an Israeli company that develops spyware for government agencies. While governments claim such tools help in law enforcement and national security, they have also been misused to spy on journalists, activists, and members of civil society.
Who Was Targeted?
The specific names of the victims have not been disclosed, but reports confirm that journalists and human rights advocates were among those affected. Many of them were based in European nations, but the attack spread across multiple regions.
WhatsApp acted quickly to disrupt the attack and alerted the affected users. It also referred them to Citizen Lab, a cybersecurity research group that investigates digital threats.
What is a Zero-Click Attack?
A zero-click attack is a form of cyberattack where hackers do not need the victim to click, open, or download anything. Instead, the attack exploits weaknesses in apps or operating systems, allowing spyware to be installed silently.
Unlike phishing attacks that trick users into clicking harmful links, zero-click attacks bypass user interaction completely, making them much harder to detect or prevent.
How Dangerous Is This Spyware?
Once installed, the spyware can:
1. Access private messages, calls, and photos
2. Monitor activities and track location
3. Activate the microphone or camera to record conversations
4. Steal sensitive personal data
Cybersecurity experts warn that such spyware can be used for mass surveillance, threatening privacy and security worldwide.
Who is Behind the Attack?
WhatsApp has linked the spyware to Paragon Solutions, but has not revealed how this conclusion was reached. Authorities and cybersecurity professionals are now investigating further.
How to Stay Safe from Spyware Attacks
While zero-click attacks are difficult to prevent, you can reduce the risk by:
1. Keeping Your Apps Updated – Always update WhatsApp and your phone’s operating system to patch security flaws.
2. Enabling Two-Factor Authentication (2FA) – This adds an extra layer of security to your account.
3. Being Cautious with Unknown Messages – While this attack required no interaction, remaining alert can help protect against similar threats.
4. Using Encrypted and Secure Apps – Apps with end-to-end encryption, like WhatsApp and Signal, make it harder for hackers to steal data.
5. Monitoring Unusual Phone Activity – If your phone suddenly slows down, heats up, or experiences rapid battery drain, it may be infected. Run a security scan immediately.
This WhatsApp attack is a reflection of the growing threats posed by spyware. As hacking methods become more advanced and harder to detect, users must take steps to protect their digital privacy. WhatsApp’s quick response limited the damage, but the incident highlights the urgent need for stronger cybersecurity measures to prevent such attacks in the future.
One such interesting incident is the recent WhatsApp “zero-click” hacking incident. In a conversation with Reuters, a WhatsApp official disclosed that Israeli spyware company Paragon Solutions was targeting its users, victims include journalists and civil society members. Earlier this week, the official told Reuters that Whatsapp had sent Paragon a cease-and-desist notice after the surveillance hack. In its official statement, WhatsApp stressed it will “continue to protect people's ability to communicate privately."
According to Reuters, WhatsApp had noticed an attempt to hack around 90 users. The official didn’t disclose the identity of the targets but hinted that the victims belonged to more than a dozen countries, mostly from Europe. WhatsApp users were sent infected files that didn’t require any user interaction to hack their targets, the technique is called the “zero-click” hack, known for its stealth
“The official said WhatsApp had since disrupted the hacking effort and was referring targets to Canadian internet watchdog group Citizen Lab,” Reuter reports. He didn’t discuss how it was decided that Paragon was the culprit but added that law enforcement agencies and industry partners had been notified, and didn’t give any further details.
“The FBI did not immediately return a message seeking comment,” Reuter said. Citizen Lab researcher John Scott-Railton said the finding of Paragon spyware attacking WhatsApp is a “reminder that mercenary spyware continues to proliferate and as it does, so we continue to see familiar patterns of problematic use."
Citizen Lab researcher John Scott-Railton said the discovery of Paragon spyware targeting WhatsApp users "is a reminder that mercenary spyware continues to proliferate and as it does, so we continue to see familiar patterns of problematic use."
Spyware businesses like Paragaon trade advanced surveillance software to government clients, and project their services as “critical to fighting crime and protecting national security,” Reuter mentions. However, history suggests that such surveillance tools have largely been used for spying, and in this case- journalists, activists, opposition politicians, and around 50 U.S officials. This raises questions about the lawless use of technology.
Paragon - which was reportedly acquired by Florida-based investment group AE Industrial Partners last month - has tried to position itself publicly as one of the industry's more responsible players. On its website, Paragon advertises the software as “ethically based tools, teams, and insights to disrupt intractable threats” On its website, and media reports mentioning people acquainted with the company “say Paragon only sells to governments in stable democratic countries,” Reuter mentions.
The evolving threat landscape continues to present new challenges, with NCC Group’s latest Threat Pulse report uncovering the emergence of Ymir ransomware. This new ransomware strain showcases the growing collaboration among cybercriminals to execute highly sophisticated attacks.
First documented during the summer of 2024, Ymir initiates its attack cycle by deploying RustyStealer, an infostealer designed to extract credentials and serve as a spyware dropper. Ymir then enters its locker phase, executing swiftly to avoid detection. According to an analysis by Kaspersky, based on an attack in Colombia, Ymir’s ransomware locker employs a configurable, victim-tailored approach, focusing on a single-extortion model, where data is encrypted but not stolen.
Unlike many modern ransomware groups, Ymir’s operators lack a dedicated leak site for stolen data, further distinguishing them. Linguistic analysis of the code revealed Lingala language strings, suggesting a possible connection to Central Africa. However, experts remain divided on whether Ymir operates independently or collaborates with other threat actors.
Matt Hull, NCC Group’s Head of Threat Intelligence, emphasized the challenges of attribution in modern cybercrime, noting that blurred lines between criminal groups and state-sponsored actors often complicate motivations. Geopolitical tensions are a driving factor behind these dynamic threat patterns, as highlighted by the UK’s National Cyber Security Centre (NCSC).
Recent incidents exemplify this evolving threat landscape:
NCC Group’s report indicates a 16% rise in ransomware incidents in November 2024, with 565 attacks recorded. The industrial sector remains the most targeted, followed by consumer discretionary and IT. Geographically, Europe and North America experienced the highest number of incidents. Akira ransomware overtook RansomHub as the most active group during this period.
State-backed cyber groups continue to escalate their operations:
Ransomware is evolving into a multipurpose tool, used by hacktivists to fund operations or to obfuscate advanced persistent threats (APTs). With its trajectory pointing to continued growth and sophistication in 2025, heightened vigilance and proactive measures will be essential to mitigate these risks.
The US Treasury Department imposed further sanctions on five individuals and one entity connected to the Intellexa Consortium, a reportedly tainted holding company behind notorious spyware known as Predator. US officials say that even though more sanctions were imposed last year and again this year, additional steps were necessary because of the complicated network of corporate entities Intellexa had established to avoid responsibility.
Most notably, the sanctions talk around the activities of the Intellexa Consortium, who, while placing money through holding companies, continued to move funds and sell its Predator spyware into multiple holding companies. The new sanctions target these loopholes that enable companies such as Intellexa to engage in such activities, thus according to one senior administration official. To that extent, the sanctions prove consistent on the part of the U.S. government in an attempt to hold accountable all those entities that threaten the nation's security and violate civil liberties.
How Predator Spyware Works
Known to steal sensitive information from devices via one-click and zero-click attacks that require little to no activity from the victim, predator spyware can trace people, monitor phone calls, and obtain access to the data of smartphones and other devices. Since 2019, this malware has spread to Android and iPhone devices globally, even affecting the U.S. government.
As recently confirmed, the Biden administration has made it a fact that over 50 US government employees have been affected by commercial spyware, like Predator, in countries counted in more than 10. Though the exact location of the attacks is not made public, such threats are under close observation by the administration.
Key Individuals and Entities Impacted By Sanctions
The new wave of sanctions hits key players in the company of Intellexa. Felix Bitzios, owner of one of the companies that sold Predator spyware to foreign governments, is among them. Another, Andrea Nicola Constantino Hermes Gambazzi, is accused of facilitating other Intellexa entities to make financial transactions. Other sentences will be handed down for Merom Harpaz, Panagiota Karaoli, and Artemis Artemiou. The organisation, Aliada Group Inc. operating in the British Virgin Islands, was sanctioned due to its provision to transfer millions of dollars to Intellexa.
In March, Tal Jonathan Dilian, a founder of Intellexa, was already sanctioned; however, the corporation was not restricted due to its action of continuing to sell spyware to governments worldwide.
Intellexa reaches quite far, with Predator spyware said to be used by state-sponsored actors and governments in a majority of countries around the world, including such ones as Egypt, Indonesia, Saudi Arabia, and the Philippines. According to recent reports, while US sanctions did seem to place a brake on its sales and adoption, they were unable to halt the spyware so entirely that it was at all times held in check. Instead, researchers found that Predator continues to rebound. New clients include government officials and representatives from Angola, Madagascar, and the Democratic Republic of Congo.
More recently, Google disclosed that the Russian government was also using the vulnerabilities created by Intellexa, sending concerns about the company's activities flying across the globe.
While there are many moves in the plan, U.S. sanctions against the government are part of it. Several companies already received the axe, while the State Department banned the visas of those individuals who have been linked to the misuse of spyware. Such is the case for Israeli firms, like the NSO Group, a manufacturer of notorious Pegasus spyware, blacklisted last 2021.
In the near future, the U.S. will, at the UN General Assembly, host a high-level meeting intended to bring more countries on board to fight misuse of commercial spyware. The officials believe that sanctions imposed so far already challenge Intellexa to move money and conduct its business.
A Warning to Spyware Vendors
According to the U.S. Treasury, sanctions represent an undoubtedly clear message of consequences not just for the likes of Intellexa spyware vendors but for the corporate structures or shell companies that may wrap up their operations no matter how deep. The efforts help comprise both the prevention of exploitative technologies and the promotion of responsible development in cybersecurity solutions that follow international standards.
As the U.S. moves to increase its restrictions on spyware, a rising call to reconsider involvement in these businesses has been made for companies operating in that area. Experts believe that skilled cyber professionals have shunned the spyware business to avoid possible legal and financial implications.
A Minnesota-based spyware company has been hacked, exposing thousands of devices worldwide under its covert surveillance, TechCrunch has learned.