A WhatsApp Flaw Ushered in Spyware

Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, Paragon Solutions used a WhatsApp zero-day, France temporarily lifted Pavel Durov’s travel ban, Vapor malware hit 60 million Android users, state-backed hackers exploit unpatched Windows flaw, Western Alliance Bank breach exposed 22,000 customers’ data, Apple fixed a passwords app bug, and a California sperm bank exposed customer information.

See Also: Top 10 Technical Predictions for 2025

Researchers at the University of Toronto’s Citizen Lab analyzed spyware attacks linked to Paragon Solutions, uncovering a zero-day vulnerability in Meta’s WhatsApp messaging app.

Paragon is one of a handful of Israeli-based commercial surveillance company, one that has attempted to differentiate itself by asserting it guards against spyware abuses perpetuated with software made by competitor NSO Group.

Citizen Lab researchers found attackers using malicious PDF files sent through WhatsApp group chats to deliver Paragon’s Graphite spyware, exploiting a vulnerability that required no user interaction. When received, the victim’s device automatically processed the file, allowing the spyware to infiltrate WhatsApp and spread beyond its sandbox to compromise other apps.

At least 90 individuals across more than 24 countries – including journalists and civil society members – were targeted. The spyware granted attackers access to victims’ messaging apps. A number of victims were members of civil society in Italy. WhatsApp detected and neutralized the exploit in December 2024, addressing the vulnerability through a server-side fix without requiring users to update their apps. No CVE identifier was assigned.

Citizen Lab’s infrastructure analysis played a key role in Meta’s broader investigation into Paragon, helping WhatsApp track and mitigate the attack. On Jan. 31, WhatsApp notified approximately 90 affected users.

Forensic analysis of multiple devices in Italy confirmed infections linked to Paragon, with researchers identifying a distinct artifact named “BIGPRETZEL.” Victims included Francesco Cancellato, editor-in-chief of Fanpage.it, and members of Mediterranea Saving Humans, a non-profit involved in migrant rescue efforts in the Mediterranean.

The Italian government denied any involvement. It acknowledged being a Paragon customer but said journalists and activists were not among its targets. Following public scrutiny, officials announced a temporary suspension of Paragon’s spyware use pending further investigation.

French authorities temporarily lifted travel restrictions on Telegram CEO Pavel Durov, allowing him to leave the country while an investigation into criminal activity on the platform continues, Bloomberg reported. Durov confirmed his return to Dubai, thanking officials and his legal team for their support.

Durov was arrested in August 2024 at Le Bourget Airport near Paris over allegations that Telegram facilitated fraud, drug trafficking and illegal content distribution. He was released on 5 million euro bail but was barred from leaving France. The travel ban is suspended from March 15 to April 7.

Since his arrest, Telegram has started sharing users’ phone numbers and IP addresses with law enforcement under valid court orders and enhanced its efforts to curb illegal content.

A large-scale malware campaign, dubbed “Vapor” by IAS Threat Lab, infected over 60 million Android devices through 331 malicious apps on Google Play. These apps, disguised as utilities such as fitness trackers, QR scanners and note-taking tools, engaged in ad fraud and phishing attacks targeting credentials and payment details.

IAS initially identified 180 apps generating 200 million fraudulent ad bid requests daily. Bitdefender later expanded the list to 331, with infections reported in Brazil, the United States, Mexico, Turkey and South Korea. These apps bypassed Google Play’s security checks by appearing legitimate at first and downloading malicious updates after installation. Once active, they hid their icons, renamed themselves to mimic trusted apps such as Google Voice, and overlaid phishing screens to steal login credentials and credit card details. Some locked users into full-screen ads by disabling navigation buttons.

Google has since removed all identified Vapor apps.

Nearly a dozen state-sponsored hacking groups have exploited an unpatched Windows security flaw in campaigns that date to 2017. Tracked as ZDI-CAN-25373, the flaw stems from hackers’ ability to embed command line arguments into a Windows shortcut file. “Upon examining the file using the Windows-provided user interface, the victim will not be able to tell that the file contains any malicious content,” warned researchers from Trend Zero Day Initiative. Nearly half of the state-sponsored threat actors that exploited ZDI-CAN-25373 appear to originate from North Korea. The state actors also include groups from China, Iran and Russia.

Trend Micro found nearly 1,000 malicious .LNK artifacts linked to groups including Evil Corp, Kimsuky, Konni, Bitter and ScarCruft. The primary targets include governments, financial firms, telecom providers and military agencies in the U.S., Canada, South Korea, Vietnam and Brazil.

The malicious Windows shortcut files serve as a vehicle for malware such as Lumma Stealer, GuLoader, and Remcos RAT. Evil Corp has used the flaw to spread Raspberry Robin malware. Despite the risk, Trend Micro said Microsoft classifies the issue as low severity and has no plans to release a fix.

Arizona-based Western Alliance Bank notified nearly 22,000 customers that their data was stolen in an October 2024 cyberattack exploiting a third-party file transfer software vulnerability. The breach, first disclosed in February, involved attackers exfiltrating files from Western Alliance systems.

Stolen data includes names, Social Security numbers, birth dates, financial account details and identification documents. Western Alliance Bank is one of dozens of firms that the Russian-speaking Clop ransomware gang claimed to have hacked last December during a mass attack against managed file-transfer software built by Cleo Communications (see: Online Extortion Gang Clop Threatens Cleo Hacking Victims).

Apple patched a flaw in the iOS 18.2 Passwords app that left users vulnerable to phishing attacks for more than three months. Security researchers at Mysk found the app used unencrypted HTTP connections to open links and fetch icons, exposing users to interception and redirection by attackers. It defaulted to HTTP for password reset pages, increasing phishing risks.

Apple has now enforced HTTPS by default, ensuring secure connections.

The United States’ largest sperm bank California Cryobank disclosed a data breach exposing customer information. The company detected suspicious activity on April 21, 2024, and found that an unauthorized party accessed its IT systems between April 20 and April 22. Exposed data includes names, bank details, Social Security numbers, drivers’ license numbers, payment card details and health insurance information.

Other Stories from Last Week