Fresh investigations have revealed that Israeli spyware maker Paragon Solutions used a zero-day vulnerability in Meta’s WhatsApp to deploy its notorious Graphite spyware—and alarmingly, no user interaction was needed for infection.
Researchers at Citizen Lab, a cybersecurity watchdog based at the University of Toronto, uncovered the sophisticated attacks after analyzing Graphite’s activities across multiple countries. Their findings point to a disturbing use of zero-click exploits, making victims completely unaware they were being spied on.
WhatsApp Targeted by Silent Zero-Click Exploit
According to Citizen Lab, the Paragon spyware attacks exploited a previously unknown vulnerability in WhatsApp’s messaging system, allowing silent installation on both iPhone and Android devices.
The most concerning part? Victims didn’t have to click anything. The zero-click nature of the exploit meant that a simple message delivered via WhatsApp was enough to compromise a device silently.
Citizen Lab shared technical details with Meta, suspecting WhatsApp was a key infection vector. In response, Meta launched an internal investigation and confirmed that Paragon’s zero-click exploit was indeed real and linked to the spyware.
Meta has since warned 90 users in over two dozen countries that they had been specifically targeted by Paragon’s spyware.
Paragon’s Global Reach Raises Red Flags
Founded in 2019, Paragon Solutions claims its spyware, Graphite, is designed with safeguards to prevent misuse. The company distances itself from infamous firms like NSO Group, whose Pegasus spyware has been used to surveil journalists and activists worldwide.
However, Citizen Lab’s investigation paints a different picture. Their research confirmed Graphite’s presence in countries such as Australia, Canada, Denmark, Singapore, Israel, and Cyprus. Alarmingly, there’s evidence that Canadian law enforcement agencies may have deployed Graphite.
Further reports out of Italy revealed that both iPhone and Android users were targeted. The Italian government, however, denied any surveillance on journalists or migrant rights activists using the Paragon spyware.
WhatsApp Silent Vulnerability Possibly Fixed Server-Side
Meta has yet to release a public advisory or assign a CVE identifier for the vulnerability. This silence hints that the exploit was likely patched server-side, sparing users from needing to update their apps.
In addition to the zero-day exploit, WhatsApp confirmed that a malicious Android component named BigPretzel—previously linked to user attacks—was also connected to Paragon’s spyware infrastructure.
Human Rights Defenders and Journalists Among Targets
Paragon claims strict controls over who accesses its technology. Yet, Citizen Lab’s evidence suggests otherwise. The spyware seems to have been used in the same troubling pattern seen with other commercial surveillance tools—targeting human rights defenders, journalists, and critics of governments.
Citizen Lab warned that the 90 known victims represent just the tip of the iceberg. Many more might have been silently infected without ever knowing.
Growing Concerns Over Commercial Spyware Abuse
The revelation of Paragon’s involvement in zero-click WhatsApp attacks adds another chapter to the growing abuse of commercial spyware. As these tools become more advanced and silent, the risk to activists, journalists, and ordinary citizens around the world increases.
Meta’s swift action and partnership with Citizen Lab were crucial in exposing this silent threat. However, the case underscores the urgent need for global regulations on spyware vendors and stricter accountability for their clients.
