A popular messaging app has a security flaw, so iPhone users should update it.

A pair of WhatsApp software flaws can lead iPhone users to have their devices compromised.

iPhone users with WhatsApp installed should immediately update the application to address a significant security vulnerability. Meta-owned WhatsApp issued a warning regarding a recently patched flaw that could allow attackers to extract data from targeted devices.

The August security advisory highlights two vulnerabilities that, when used together, could seriously affect iPhone users. One vulnerability, listed as CVE-2024-55177, involves incomplete authorization of linked device synchronization messages in WhatsApp for iOS versions before v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78. WhatsApp noted this flaw, combined with an OS-level vulnerability on Apple platforms (CVE-2024-43300), may have been exploited in targeted attacks.

Security expert Donncha Ó Cearbhaill of Amnesty International described the combined vulnerabilities as a "zero-click" attack, requiring no user interaction to activate. In posts on "X," Ó Cearbhaill said this "advanced spyware campaign" has been targeting iPhones since May. Once initiated, the attack can compromise the device and its data, including messages. The identity of the group behind the attacks is currently unknown. While WhatsApp states the vulnerability primarily affects iOS and macOS, there are indications Android devices may also be at risk.

WhatsApp and Meta are advising iPhone users to perform a full factory reset to remove any potential malware. Users should also ensure they have the latest version of iOS installed, as well as updating WhatsApp to version v2.25.21.73 or higher via the App Store.

Android users can safeguard their devices by installing the newest version of WhatsApp from the Play Store.

Ó Cearbhaill suggests enabling iOS Lockdown Mode or Android's Advanced Protection Mode for increased protection. Meta spokesperson Margarita Franklin stated the flaw was patched "a few weeks ago," with fewer than 200 affected users receiving notifications.

The notifications stated that a malicious message may have been sent through WhatsApp, potentially compromising the device and its data when combined with other vulnerabilities. Users were urged to take steps to secure their device and information as a precaution.

In related news, WhatsApp previously disrupted a spyware campaign targeting 90 users, including journalists and members of Italian civil society.

Meta acquired WhatsApp in 2014 for over $21 billion.