Listen to this Post
Introduction
A new wave of cyberattacks targeting iPhone users has revealed one of the most unsettling forms of digital compromise seen in recent years. Victims report their WhatsApp accounts sending money requests to contacts without any action on their part, while the app shows no linked devices or suspicious logins. This creates a confusing and dangerous scenario where users appear fully secure on the surface, yet their accounts are actively controlled by an unknown attacker. A forensic investigation in Italy has now linked these incidents to a sophisticated zero click exploitation chain affecting iOS 16 devices, combining Apple system vulnerabilities with WhatsApp session abuse to silently hijack accounts.
Detailed the Incident and Investigation
Multiple iPhone users in Italy began reporting unusual WhatsApp behavior where messages were sent from their accounts requesting money transfers without their knowledge
All victims shared the same pattern of compromise involving recent contacts receiving scam messages while older chats remained inaccessible to attackers
The affected devices included a wide range of iPhone models from iPhone 8 through iPhone 14 series, all running iOS 16 or earlier vulnerable builds
Despite the account activity, WhatsApp settings showed no linked devices, no QR code pairing history, and no visible unauthorized sessions
This made traditional account hijacking explanations unlikely, especially those involving social engineering or QR code abuse
Forensic investigators from an Italian firm analyzed system logs and WhatsApp diagnostic data from compromised devices
They discovered repeated
“resync"
events inside WhatsApp logs indicating constant session renegotiation between two competing endpoints
This suggested that both the victim’s phone and an external attacker device were simultaneously attempting to maintain control over the same account
The attackers were not visible through normal WhatsApp interface controls, implying a deeper session level compromise
Investigators connected the cases to iOS 16 vulnerabilities that could allow unauthorized access to system level data
One vulnerability involved CVE 2025 43300, an out of bounds write issue in Apple’s ImageIO framework
This flaw could be triggered by malicious images leading to memory corruption and potential data extraction
Another vulnerability involved CVE 2025 55177 affecting WhatsApp on iOS and macOS related to improper handling of linked device synchronization data
Affected systems included iOS versions older than 16.7.12, matching all compromised devices analyzed
Evidence from system logs showed errors in image processing libraries occurring around the time of account takeover events
Researchers successfully reproduced parts of the attack in a controlled environment using vulnerable iOS builds
They demonstrated that cryptographic session material could be extracted from memory after exploitation
This material allowed attackers to create a fully functional WhatsApp session on another device without notification
The attacker’s session did not appear in linked devices because it bypassed normal pairing mechanisms
The result was a stealth takeover where both attacker and victim intermittently competed for session control
Messages were sent from the victim’s identity while they remained unaware of ongoing exploitation
The attack is classified as zero click because it does not require user interaction such as clicking links or scanning QR codes
The compromise likely occurs silently through malicious data processing such as images or sync messages
Updating iOS beyond the vulnerable versions is considered the most effective mitigation
WhatsApp reinstallation and account reauthentication can help remove unauthorized sessions
Users are advised not to respond to suspicious payment requests inside WhatsApp chats
Direct voice verification is recommended to confirm any financial request legitimacy
Security researchers warn that such attacks were previously associated with high level threat actors but are now seen in financially motivated campaigns
A related older attack pattern known as GhostPairing also abused WhatsApp linking features using fake login pages and QR code deception
These combined findings show an evolution of WhatsApp focused account hijacking techniques across both system level and social engineering methods
The incident highlights a growing overlap between mobile operating system vulnerabilities and messaging platform session security weaknesses
What Undercode Say:
This incident highlights a dangerous shift in mobile exploitation techniques targeting messaging platforms
Zero click attacks remove the user as the weakest link because no interaction is required
Instead, the operating system itself becomes the entry point through hidden memory corruption flaws
iOS 16 appears to be a critical exposure window where patched and unpatched devices diverged significantly
The exploitation of ImageIO shows how seemingly harmless features like image parsing can become attack vectors
WhatsApp session architecture becomes vulnerable once cryptographic material is extracted from device memory
This allows attackers to bypass traditional authentication entirely
The absence of linked device entries suggests attackers are not using standard WhatsApp Web mechanisms
Instead, they are injecting sessions at a lower protocol or memory level
The continuous resync logs indicate real time competition between legitimate and malicious sessions
This behavior is rare in typical account takeover cases and strongly indicates active session duplication
Financial fraud becomes the immediate goal, with attackers targeting recent contacts for quick monetization
The attack demonstrates convergence of iOS kernel or framework level flaws with application level abuse
It also shows how messaging apps can become proxy financial fraud tools once identity is stolen
The forensic reproduction confirms that real world exploitation is not theoretical but actively functional
The shrinking gap between vulnerability disclosure and exploitation is a key concern
Attackers no longer need advanced nation state resources to deploy zero click chains
Public CVE knowledge combined with unpatched devices creates a scalable attack surface
WhatsApp users are particularly exposed due to high trust in personal message identities
Even secure messaging encryption does not protect against endpoint compromise
The real security boundary is no longer the app but the operating system integrity
This case also demonstrates that device visibility features like linked sessions are not sufficient defense
Attackers operating at session reconstruction level remain invisible to user interfaces
Mobile security must increasingly focus on memory safety and runtime integrity
The incident suggests future attacks may further combine multiple CVEs for automation
Financially motivated cybercrime groups are now capable of using advanced exploit chains
This represents a democratization of previously elite cyber capabilities
Users relying on outdated OS versions remain primary targets
Security awareness alone is insufficient without rapid patch adoption
System level isolation and hardened media parsing pipelines are critical defense priorities
Messaging platforms may need stronger cryptographic binding to hardware identity
The evolution of GhostPairing style attacks shows hybridization of social engineering and system exploits
Overall, the attack represents a new phase of silent account takeover methodology
Fact Checker Results
✔ Reports align with known patterns of WhatsApp session hijacking via device-level compromise
❌ Specific CVE exploitation chain cannot be independently confirmed as actively weaponized in all cases
✔ iOS and WhatsApp vulnerabilities have historically been used in real zero-click exploit campaigns
Prediction
Future attacks will likely expand beyond WhatsApp into other messaging platforms using similar session extraction techniques
Zero click exploitation chains will become more modular, combining multiple smaller vulnerabilities into automated toolkits
Mobile operating system vendors will accelerate patch cycles and strengthen memory safety protections to counter this growing threat
▶️ Related Video (80% Match):
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
