0-Click WhatsApp Attack Targets iOS 16 Users Account Takeover

A new 0-click WhatsApp account takeover attack is alarming iOS 16 users, with multiple iPhone owners reporting their accounts hijacked. The incidents occurred without any user interaction, warnings, or visible linked devices, raising significant security concerns.

According to a recent forensic investigation by the Italian security firm Forenser, attackers are exploiting a zero-click attack chain that allows them to silently access WhatsApp accounts, even while the legitimate user remains logged in.

Victims, primarily using iPhones running iOS 16 across models from iPhone 8 to iPhone 14, noticed unauthorized messages being sent from their accounts requesting money transfers, yet found no suspicious activity in the “Linked Devices” section.

0-Click WhatsApp Hijack Targets iOS 16 Users

Unlike traditional WhatsApp hijacking techniques such as QR code phishing or GhostPairing campaigns, this attack does not require user action, making it significantly more dangerous and difficult to detect.

Forensics ’ analysis identified unusual “resync” events in iOS unified logs, indicating that both the victim’s device and the attacker’s client were simultaneously competing to maintain control over the same WhatsApp session.

This behavior suggests that the attacker establishes a parallel session without registering it as a linked device, effectively bypassing WhatsApp’s visibility controls.

The attack reportedly chains CVE-2025-43300, an Apple ImageIO out-of-bounds write flaw, with CVE-2025-55177, a WhatsApp linked-device synchronization vulnerability affecting iOS versions below 16.7.12.

CVE-2025-43300 enables malicious image-based exploitation, while CVE-2025-55177 impacts improper handling of WhatsApp linked-device sync messages on vulnerable iOS devices.

Researchers found that attackers could leverage these flaws to extract cryptographic session data directly from the device, enabling them to initialize a rogue WhatsApp client tied to the victim’s account without triggering alerts.

Supporting evidence includes repeated image-processing errors documented in system logs at the time of compromise, reinforcing the likelihood of a malicious payload delivered via image-based vectors.

In controlled lab testing, Forenser successfully reproduced parts of the attack, confirming that session hijacking can occur without user awareness and without leaving typical forensic traces such as new device pairings.

To mitigate the risk, users are strongly advised to update their devices to the latest iOS version, as Apple has already patched CVE-2025-43300 in newer releases.

Additional protective steps include reinstalling WhatsApp, enabling chat lock features to restrict unauthorized access, and re-authenticating accounts on clean devices to invalidate attacker sessions.

Users should also avoid responding to suspicious financial requests via WhatsApp and instead verify them by phone, as attackers may intercept ongoing conversations.

This campaign highlights a growing trend: zero-click exploits, once limited to advanced state-sponsored operations, are increasingly adopted by financially motivated cybercriminals.

The widespread use of unpatched iOS 16 devices combined with publicly documented vulnerabilities has created an expanded attack surface, enabling threat actors to scale sophisticated attacks more effectively.

As investigations continue, this incident underscores the urgency of timely patching and proactive mobile security practices in defending against evolving zero-click threats.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.