WhatsApp, exploited by Paragon's Graphite spyware, underscores critical issues in cybersecurity, surveillance, and digital privacy. Here's a structured breakdown

Continue reading
WhatsApp has disrupted a sophisticated spyware operation by Israeli firm Paragon Solutions, which exploited a zero-click, zero-day vulnerability in the messaging app to target journalists, activists, and civil society members across over two dozen countries. The campaign, uncovered by researchers at the University of Toronto’s Citizen Lab, exploited malicious PDF files sent through WhatsApp groups to deploy Paragon’s Graphite spyware, enabling unauthorized access to private communications and device data. WhatsApp mitigated the attack in late 2023 via a server-side patch, avoiding the need for user intervention, but declined to assign a public tracking identifier (CVE-ID) to the flaw.
How It Worked Attackers added targets to WhatsApp groups and delivered a booby-trapped PDF. Upon automatic processing by WhatsApp’s background services, the PDF exploited a zero-click vulnerability—requiring no user interaction—to install Paragon’s Graphite spyware. The implant bypassed Android’s security sandbox, granting operators full access to the device, including messages, microphone, and camera.
WhatsApp’s Response Meta’s WhatsApp team addressed the vulnerability server-side, preventing further exploitation without requiring app updates. A spokesperson confirmed that roughly 90 Android users, primarily journalists and activists in Italy and other nations, were notified of targeting. Despite the severity, WhatsApp opted against assigning a CVE-ID, citing compliance with MITRE guidelines and internal policies—a decision criticized by some cybersecurity experts for limiting transparency.
Detecting Graphite Infections Citizen Lab identified a forensic artifact dubbed BIGPRETZEL within Android logs to detect Graphite infections. However, researchers cautioned that sporadic log retention on Android devices could obscure evidence.
Mapping Paragon’s Network The investigation traced Graphite’s infrastructure to over 150 digital certificates and servers linked to government clients in Australia, Canada, Cyprus, Denmark, Israel, and Singapore. Notably, servers hosted in Israel returned Paragon-branded webpages, while a TLS certificate named “installerserver” hinted at parallels to NSO Group’s Pegasus spyware. U.S. agencies, including the Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE), were reported to have contracts with Paragon totalling millions of dollars.

Founding and Clientele Paragon Solutions, founded in 2019 by former Israeli Prime Minister Ehud Barak and ex-Unit 8200 commander Ehud Schneorson, markets its tools exclusively to “democratic governments” for targeting criminals. However, its acquisition by Florida-based AE Industrial Partners in December 2024 and contracts with U.S. agencies raise concerns about unchecked surveillance capabilities.
Ethical Dilemmas While Paragon insists its clients adhere to legal standards, Citizen Lab’s findings underscore risks of abuse. “Commercial spyware firms often operate in legal grey zones,” said John Scott-Railton, senior researcher at Citizen Lab. “Tools designed for fighting crime can easily be weaponized against dissidents or journalists.”
The Zero-Click Threat Zero-click exploits represent a mounting cybersecurity crisis, circumventing traditional user defences. WhatsApp’s server-side fix highlights the need for proactive platform-level mitigations, yet the lack of a CVE-ID complicates independent analysis of the flaw.
Calls for Regulation Advocates urge stricter oversight of the commercial spyware industry. “This isn’t just a technical issue—it’s a human rights issue,” said Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation. “When governments purchase these tools, they’re often used to undermine democracy, not protect it.”
The Graphite campaign exemplifies the escalating arms race between tech firms and state-aligned spyware vendors. While WhatsApp’s rapid response mitigated immediate harm, the incident underscores systemic vulnerabilities in widely used communication platforms. With Paragon’s expanding government ties and the opaque nature of zero-day markets, experts warn that privacy breaches targeting civil society will persist without robust international accountability frameworks.
Final Quote “WhatsApp’s actions are commendable, but this is a drop in the ocean,” Scott-Railton added. “Until the spyware industry is regulated like the arms trade, journalists and activists will remain in the crosshairs.”
Additional Reporting: Citizen Lab’s full technical analysis and indicators of compromise (IoCs) are available [here]. For users concerned about spyware, WhatsApp recommends enabling two-step verification and monitoring for unusual activity.
—Updated to reflect Paragon’s acquisition timeline and U.S. agency contracts as reported.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.