The Citizen Lab research group at the University of Toronto has uncovered a zero-day vulnerability
in Meta’s WhatsApp during an investigation into spyware attacks linked to Israeli firm Paragon Solutions.
Paragon, which has been active since 2019, develops Graphite, a spyware tool the company claims is designed with safeguards to prevent misuse by authoritarian regimes. However, evidence uncovered by Citizen Lab suggests otherwise, contradicting Paragon’s claims about its target selection.
WhatsApp has not issued a public advisory for the vulnerability, nor has it assigned a CVE identifier, indicating that the issue was likely fixed on the server side, meaning users do not need to take any action.
In addition to the zero-day vulnerability, WhatsApp confirmed to Citizen Lab that an Android component called BigPretzel, which has been linked to attacks on WhatsApp users, is also associated with Paragon Solutions.
Citizen Lab reported that 90 individuals across two dozen countries were notified by Meta that they had been targeted with Paragon’s spyware through WhatsApp. The group noted that the cases investigated so far show a disturbing pattern of targeting human rights organizations, government critics, and journalists.
Graphite spyware has been detected in Australia, Canada, Denmark, Singapore, Israel, and Cyprus, with indications that law enforcement in Canada may have used the tool.
The spyware also recently made headlines in Italy, where it was reportedly used to target Android and iPhone users, including journalists and migrant activists. The Italian government denied involvement in surveillance using Paragon spyware.
Citizen Lab shared details about Paragon’s infrastructure with Meta, leading to the discovery of a zero-click exploit that allowed spyware deployment without any user interaction. Meta used this information to identify, mitigate, and attribute the exploit to Paragon.
WhatsApp exploits, especially zero-click vulnerabilities, are highly valuable, making them a prime target for surveillance firms and threat actors worldwide.
