
WhatsApp has patched a zero-day vulnerability, tracked as CVE-2025-30259, that had been exploited to deploy the Paragon Graphite spyware, following reports from researchers at Citizen Lab, University of Toronto. The company mitigated the attack vector late last year without requiring users to update their applications.
Representatives of the platform confirmed that they had notified affected users, including journalists and activists, informing them that their devices may have been compromised. WhatsApp also underscored the critical need for accountability among companies engaged in the development of spyware.
On January 31, after neutralizing the exploit, WhatsApp issued warnings to approximately 90 Android users across more than 20 countries, including journalists and activists from Italy. The vulnerability allowed threat actors to surreptitiously install Graphite spyware on victims’ devices without their knowledge. The attack initiated when the target was added to a WhatsApp group, followed by the delivery of a malicious PDF file, which was automatically processed by the system, leading to the deployment of the spyware implant.
Once infected, Graphite gained access to other applications on the device, successfully bypassing Android’s security mechanisms. This enabled attackers to intercept victims’ messages, eavesdrop on calls, and exfiltrate confidential data. Citizen Lab researchers identified a distinctive artifact, BIGPRETZEL, which could aid in detecting infections. However, the absence of forensic traces in system logs does not guarantee that a device was not compromised.
Investigators also analyzed Paragon’s infrastructure, which was used to distribute the spyware, uncovering potential links to government entities in multiple nations, including Australia, Canada, Cyprus, Denmark, Israel, and Singapore. By examining domains, digital certificates, and IP addresses, researchers identified 150 certificates associated with numerous command-and-control servers.
A portion of this infrastructure was likely leased by Paragon or its clientele, while some components may have been directly operated by government agencies. Notably, servers contained references to “Paragon”, as well as certificates bearing the terms “Graphite” and “installerserver”—a naming convention reminiscent of how Pegasus spyware employs an “Installation Server” to infect targeted devices.
Paragon Solutions Ltd. was founded in 2019 by former Israeli Prime Minister Ehud Barak and ex-commander of Israel’s Unit 8200, Ehud Schneorson. In December 2024, the company was acquired by the U.S. investment firm AE Industrial Partners.
Paragon asserts that it sells its technology exclusively to law enforcement and intelligence agencies in democratic nations for crime-fighting purposes. However, multiple reports suggest that Graphite has been deployed in scenarios beyond its stated objectives, including surveillance of journalists and activists. This raises serious concerns about the level of oversight and regulation governing the use of such spyware.