Paragon Spyware Exploits WhatsApp Zero-Day Vulnerability

WhatsApp has successfully patched a zero-click, zero-day vulnerability that was exploited by Paragon Solutions to install Graphite spyware on targeted devices. This vulnerability was discovered by researchers at the University of Toronto’s Citizen Lab, leading to a swift response from WhatsApp to mitigate the threat.

Key Points of the Paragon Spyware Attack

• Zero-Click Vulnerability: The attack involved a zero-click exploit, meaning no user interaction was required for the device to be compromised. Targets were added to a WhatsApp group and sent a malicious PDF, which automatically processed the exploit.
• Graphite Spyware: The Graphite spyware, developed by Paragon Solutions, was used to collect sensitive data and intercept private communications. It compromised other apps on the device by escaping the Android sandbox.
• Targets: Approximately 90 Android users across over two dozen countries, including Italian journalists and activists, were notified by WhatsApp that they were targeted and possibly compromised.
• Detection and Removal: Infections can be detected using a forensic artifact known as BIGPRETZEL. However, the lack of evidence does not rule out the possibility of overwritten logs.
• Infrastructure Mapping: Researchers mapped Paragon’s server infrastructure, finding potential links to government customers in Australia, Canada, Cyprus, Denmark, Israel, and Singapore.

Background on Paragon Solutions

Paragon Solutions, founded in 2019 by Ehud Barak and Ehud Schneorson, claims to sell its surveillance tools only to law enforcement and intelligence agencies in democratic countries. The company was acquired by AE Industrial Partners in December 2024.

Response and Accountability

WhatsApp has taken steps to hold spyware companies accountable for their actions, emphasizing the need for stronger accountability. Meta issued a cease-and-desist letter to Paragon and is considering further legal measures.