Zero-Click WhatsApp Account Takeover Hits iPhone Users Running iOS 16. No Linked Devices, No Warning

Zero‑click attacks have long been the preserve of nation‑state actors, but the recent WhatsApp hijackings on iOS 16 signal a shift toward financially motivated cybercrime. By exploiting an out‑of‑bounds write in Apple’s ImageIO framework (CVE‑2025‑43300) and a URL‑parsing flaw in WhatsApp’s device‑sync code (CVE‑2025‑55177), threat actors can silently extract the cryptographic material that powers a WhatsApp session. Because the exploit requires no user interaction, traditional hygiene measures—such as avoiding suspicious links—offer no protection, leaving millions of iPhone users exposed.

Forensic analysis revealed a distinctive pattern of continuous "resync" events in the iOS unified logs, indicating two clients fighting for control of the same session. The attacker’s client never registers as a linked device, so the victim sees no evidence in the app’s settings. By replaying the stolen handshake data on a remote server, the adversary can send fraudulent money‑request messages to recent contacts, exploiting the trust inherent in personal chats. The attack’s reliance on specific iOS 16 builds means that devices that have not applied Apple’s post‑August 2025 patches remain vulnerable, underscoring the critical importance of timely OS updates.

Mitigation is straightforward: upgrade iOS to the latest version, which contains patches for both CVEs, and reinstall WhatsApp to force a fresh authentication. Enabling chat locks adds an extra barrier, preventing attackers from reading or sending messages even if they obtain session keys. For enterprises, the incident highlights the need for robust mobile device management policies that enforce rapid patch cycles and monitor anomalous app behavior. As zero‑click exploits become more accessible, proactive security hygiene will be the decisive factor in protecting both personal and corporate communications.