A forensic investigation in Italy has linked a new zero-click attack on iPhone users to WhatsApp accounts that sent money requests to contacts without any visible linked device, and the victims appear to have all been running iOS 16. The analysis points to exploitation of known Apple and WhatsApp vulnerabilities that let attackers extract session material and attach a rogue client to the account without user interaction.
What victims saw
Affected users reported the same pattern: their WhatsApp numbers sent messages asking recent contacts for wire transfers, yet they had no memory of authorising a new device.
The app’s “Linked Devices” section showed nothing unusual, and none of the victims recalled scanning a QR code or sharing a verification code.
Forensic clues
Forenser said iOS unified logs showed repeated WhatsApp “resync” events, suggesting two clients were fighting to keep the same account active.
The firm said that pattern is unusual unless someone else is trying to maintain a parallel session on the account.
Likely vulnerabilities
The researchers identified CVE-2025-43300, an Apple ImageIO out-of-bounds write flaw, and possibly CVE-2025-55177, a WhatsApp iOS/macOS linked-device sync flaw, as the likely attack chain.
Forenser said the devices it examined were all on iOS 16, and the logs also showed image-processing errors consistent with exploitation.
How the attack works
According to the analysis, the exploit can extract cryptographic material from the compromised device and use it to create a WhatsApp client elsewhere tied to the victim’s account.
That would explain why messages were sent from the account while no linked device appeared in the app’s settings.
Mitigation and response
The simplest fix is to update iOS to the latest version, since the flaw was patched after iOS 16.
Forenser also said WhatsApp’s chat lock can help protect individual conversations, and reinstalling WhatsApp or moving to a new device can evict the attacker’s session.
Earlier WhatsApp account attacks
The report also references a separate December campaign, dubbed GhostPairing, in which attackers abused WhatsApp device-linking and pairing codes after luring victims through fake Facebook-style pages.
That earlier campaign relied on social engineering rather than the zero-click iPhone exploit described here.
Practical warning
Users who receive suspicious payment requests on WhatsApp should call the sender directly rather than replying in the chat, because an attacker may see the message first.
Forenser says it is still collecting forensic images and continuing to study the attack model.
Featured image credits: PxHere
For more stories like it, click the +Follow button at the top of this page to follow us.
