What Happened

On Friday, WhatsApp announced that a sophisticated hacking operation linked to Paragon’s Graphite spyware targeted its users. According to Meta’s security team, the threat actors employed a “zero-click” exploit to compromise user accounts without any interaction. 

“WhatsApp has disrupted a spyware campaign by Paragon that targeted a number of users, including journalists and members of civil society,” a company spokesperson told The Guardian. “We’ve reached out directly to people who we believe were affected. This [incident] is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately.”

The Latest Spyware Campaign

AE Industrial Partners recently acquired Paragon, an Israeli surveillance company, for $900 million. Unlike their controversial spyware peers, Paragon positioned itself as the “ethical” alternative to companies like NSO Group and Intellexa. The company is now facing intense scrutiny as a result of this breach. Meta announced Friday it had issued a cease-and-desist letter to Paragon and was considering further legal action against the company. WhatsApp markets itself as a secure end-to-end encrypted communication platform and has sued spyware companies threatening their user’s privacy before. In 2019, Meta sued the spyware company NSO Group after NSO exploited vulnerabilities in WhatsApp to install spyware on the devices of targeted users. 

Despite Meta’s response, John Scott-Railton, Senior Researcher at the University of Toronto’s Citizen Lab, says incentives are aligned for more spyware to proliferate, not decrease: “Mercenary spyware companies will probably keep chasing massive exits. Hoping the music doesn’t stop until a sale goes through… not a lot of incentive to be skeptical of government customers.”

How Attackers Conducted the Attack

Meta announced that attackers compromised the accounts via malicious PDF links sent to WhatsApp group chats. While Meta has not released further technical details on the attack, this is not the first time zero-click smartphone attacks have exploited sending malicious PDF links. The 2023 Operation Triangulation attacks, which targeted the iPhones of Kaspersky researchers, relied on sending malicious PDFs packaged as .watchface files over iMessage to zero-click victims’ phones.

Government’s New Spyware Concerns

While Paragon primarily sold licenses for its software to governments other than the US, the company had early traction with agencies like ICE, who awarded them a $2 million contract. However, privacy experts believe this attack has soured Paragon’s perception of USG. “Their business model is hacking American companies. In the service of foreign governments,” Scott-Railton says, “If I’m in the NSC tonight, I have to be wondering whether Paragon’s #Graphite spyware, like NSO’s #Pegasus before it, is lurking on any US officials’ devices. Or those of US allies. Governments around the world will be asking the same question.”

Smartphone Security Whiplash

Meta claims WhatsApp began investigating these attacks in December 2024. At the same time WhatsApp’s investigations were underway, US intelligence officials were urging Americans to only use encrypted communication channels on their phones like WhatsApp or Signal because the Chinese state-affiliated group Salt Typhoon had infiltrated all major telecommunications carriers in the U.S. 

The False Security Paradigm

Organizations face a fundamental security disconnect:

1. Users trust their smartphones implicitly, believing encryption and security features make them safe
2. The reality is these devices can:
   • Constantly collect data about their environment
   • Maintain persistent wireless connections
   • Communicate over cellular networks outside organizational control
   • Store sensitive data while maintaining multiple potential exfiltration paths

Walking Antennas: Smartphones as Attack Platforms

Modern smartphones have multiple wireless antennas (Cellular, Wi-Fi, Bluetooth, Ultra-wideband, and NFC) that continuously scan their environment and transmit data. Organizations had traditionally ignored the risks posed by wireless devices, assuming they required proximity to a target to exploit. They also allowed wireless devices like personal smartphones and IoT devices to proliferate in their environment. The Nearest Neighbor attack disclosed by Volexity last November has completely changed cybersecurity experts’ perspective on these risks. The attack shows how uncontrolled wireless devices can be used by attackers thousands of miles away to compromise organizational wireless assets and infiltrate networks as easily as Internet-based attacks. Pentesting applications like Kali Nethunter received significant updates in 2024, allowing smartphones to conduct a wide array of malicious Wi-fi and Bluetooth-based attacks using the smartphone’s internal antennas.

Security Implications for Organizations

This new understanding requires a paradigm shift in how organizations approach smartphone security:

1. Zero Trust for Mobile: Treat all smartphones as potential threat vectors, regardless of their security settings or installed apps
2. Location-Based Controls: Implement strict controls on smartphone presence in sensitive areas
3. Continuous Monitoring: Deploy solutions that can detect and track wireless emissions from all smartphone communication channels
4. Policy Updates: Revise security policies to account for smartphones’ multi-faceted threat potential

Looking Ahead

The cybersecurity industry must accept that smartphones represent an inherent security risk that organizations cannot mitigate through traditional means. As these devices become more sophisticated and attacks more creative, it becomes crucial for organizations to adopt comprehensive wireless security strategies that account for all potential attack vectors.