Zero-Click WhatsApp Attack Hijacks iOS 16 Accounts Silently

Silent Threat: Zero-Click WhatsApp Attack Is Hijacking iOS 16 Accounts Without Warning

A newly documented zero-click WhatsApp account takeover attack is compromising iPhones running iOS 16 without any interaction from the device owner. Victims have had unauthorized messages sent from their accounts, including fraudulent money transfer requests, while their WhatsApp app showed no sign of intrusion, no linked devices, no login alerts, and no visible activity. The attack was uncovered through forensic investigation by Italian security firm Forenser and represents a significant escalation in mobile messaging threats affecting millions of iPhone users, including an estimated 9 to 10 million active WhatsApp users across Canada.

How the Zero-Click Attack Works on iOS 16

What sets this attack apart from common WhatsApp hijacking methods is the complete absence of victim interaction. Traditional account compromise techniques, such as QR code phishing or GhostPairing attacks, require the target to take some action. This campaign requires nothing.

Forensic analysis of compromised devices revealed unusual “resync” events recorded in iOS unified logs. These events indicate that both the victim’s legitimate device and an attacker-controlled client were simultaneously contending for control of the same WhatsApp session. The attacker establishes a parallel, undeclared session that never registers as a linked device, meaning it never surfaces in the standard WhatsApp “Linked Devices” panel that users are told to monitor for suspicious access.

The attack chains two distinct vulnerabilities to achieve this. CVE-2025-43300 is an out-of-bounds write flaw in Apple’s ImageIO framework, the system component responsible for processing image files. When triggered by a maliciously crafted image payload, this flaw enables code execution on the device. The second vulnerability, CVE-2025-55177, is a flaw in WhatsApp’s linked-device synchronization handling on iOS versions below 16.7.12. Together, these two weaknesses allow an attacker to extract cryptographic session data directly from the target device, then initialize a rogue WhatsApp client bound to the victim’s account on attacker-controlled hardware, all without generating any alert or notification on the victim’s phone.

System log analysis from compromised devices showed repeated image-processing errors recorded at the exact time of compromise, supporting the assessment that the initial payload is delivered through an image-based vector, potentially via a WhatsApp message containing a crafted image file processed silently in the background before it even appears on screen.

Forensics confirmed in controlled lab testing that session hijacking can be reproduced without user awareness and without leaving the standard forensic traces, such as new device pairing records, that incident responders typically rely on.

Device Scope: iPhone 8 through iPhone 14 Are Affected

Confirmed victim reports span iPhones from the iPhone 8 through the iPhone 14 lineup, all running iOS 16. This is a broad and significant device range. Many individuals and organizations, including small businesses and government employees across Canada, continue to operate on iOS 16 either by choice or because their hardware cannot support newer iOS versions. iPhone 8 and iPhone X models, for instance, cannot upgrade beyond iOS 16, making those users permanently exposed unless they replace their hardware entirely.

The Broader Threat: Zero-Click Exploits Going Commercial

This incident marks a troubling operational shift. Zero-click exploits, once the exclusive domain of sophisticated nation-state actors using tools like Pegasus spyware, are now being adopted by financially motivated threat actors with no state affiliation. The combination of two publicly documented CVEs chained together into a working attack demonstrates that the operational barrier to deploying zero-click mobile attacks has dropped substantially.

The broad install base of unpatched iOS 16 devices, combined with documented vulnerability details now publicly available, creates an attack surface that criminal groups can exploit at scale. The financial fraud motive observed in this campaign, specifically using hijacked accounts to send money transfer requests to victim contacts, indicates a direct monetization pathway that incentivizes further development and distribution of this technique.

Canadian Impact and Considerations

Canada has one of the highest per-capita smartphone penetration rates in the world, and WhatsApp is widely used across immigrant and multicultural communities, small business operators, and professional networks. The financial fraud component of this attack, where hijacked accounts send money requests to contacts, targets exactly the trust relationships these communities rely on through the platform.

From a legal and regulatory perspective, organizations in Canada whose employees use WhatsApp for any business-related communication should be aware of the implications under PIPEDA. If personal or client data is accessible through a compromised WhatsApp account, or if the account is used to communicate with customers, the compromise may constitute a reportable breach under Canada’s mandatory breach notification requirements.

The Canadian Centre for Cyber Security (CCCS) has consistently advised Canadians to keep mobile operating systems fully patched and to treat unexpected financial requests received via messaging apps as high-risk signals, regardless of the apparent sender. This campaign makes that guidance more urgent than ever.

Canadian mobile device management (MDM) administrators overseeing corporate iOS device fleets should treat any device on iOS 16 that cannot be upgraded as a managed risk and consider restricting WhatsApp access on those devices until hardware can be replaced or compensating controls implemented.

What the Patch Status Looks Like

Apple has already addressed CVE-2025-43300 in iOS releases beyond the 16.7.x branch. However, devices that cannot run iOS 17 or later remain unpatched on the ImageIO flaw at the operating system level. For WhatsApp’s own vulnerability, CVE-2025-55177, Meta is expected to push a client-side fix, but users on locked-down iOS 16 hardware may face ongoing exposure depending on the scope of any app-level mitigations WhatsApp can deploy independently.

The safest path for any user still on iOS 16 who can upgrade is to do so immediately.

Key Takeaways

• A confirmed zero-click WhatsApp account takeover attack is actively targeting iPhone users on iOS 16, with no user interaction required to compromise the account.
• The attack chains CVE-2025-43300 (Apple ImageIO out-of-bounds write) and CVE-2025-55177 (WhatsApp linked-device sync flaw) to extract cryptographic session data and initialize a rogue client.
• Affected hardware spans iPhone 8 through iPhone 14 running iOS versions below 16.7.12, with some older models permanently unable to escape the vulnerable iOS 16 branch.
• Attackers use hijacked accounts to send fraudulent money transfer requests to victim contacts, representing a direct and scalable financial fraud model.
• Zero-click exploits, previously limited to nation-state-grade tools, are now being operationalized by financially motivated criminal actors.
• Canadian organizations using WhatsApp for any business communication face potential PIPEDA breach notification obligations if employee accounts are compromised.
• Updating to the latest iOS version and reinstalling WhatsApp are the two most effective immediate mitigations available.

What You Should Do Now

1. Update iOS immediately. If your device supports iOS 17 or later, we recommend upgrading now. Apple has patched CVE-2025-43300 in post-16.7.x releases. Do not delay this update.
2. Check your WhatsApp Linked Devices. Open WhatsApp, go to Settings, then Linked Devices, and remove any sessions you do not recognize. Be aware that, this may not surface the rogue session documented in this attack, but it eliminates any standard secondary access.
3. Reinstall WhatsApp on a clean device. If you are on iOS 16 and cannot upgrade your OS, reinstalling WhatsApp forces a fresh session registration and invalidates any active hijacked session tied to your account.
4. Enable WhatsApp Chat Lock. This adds authentication layer that restricts access to message content even if an attacker achieves session access.
5. Alert your contacts if you suspect compromise. If unexpected money transfer requests were sent from your account, notify your contacts immediately so they do not send funds to the attacker.
6. Canadian IT administrators should audit corporate iOS device fleets. Any managed device on iOS 16 that cannot upgrade should have WhatsApp access restricted or flagged as a risk item in your asset register.
7. Never action financial requests received via WhatsApp without independent phone verification. Call the person directly using a known number to confirm any money transfer request, regardless of how legitimate the message appears.