An innocent photo can turn your phone into a silent spy
A WhatsApp message arrives. A photo downloads on its own, the way it happens millions of times a day. You do not click. You do not open it. You do nothing. And yet your phone has become a spy

Zero-click attacks: when our digital everyday life betrays us
A WhatsApp message arrives. A photo downloads on its own, the way it happens millions of times a day. You do not click. You do not open it. You do nothing.
And yet your phone is already compromised. A spy in your pocket.
Microphone activated remotely. Messages read in real time. Location tracked. Personal photos exfiltrated. All of it in silence. No notification. No alert. Without you seeing anything at all.
Welcome to the world of zero-click attacks.
This is not science fiction. This is 2025.
In 2025, zero-click flaws exploited through malicious images were confirmed on iOS, macOS and certain Samsung Android devices. Not in a theoretical report. Not in a lab. In real life, on real phones, belonging to real people.
Commercial spyware was deployed in silence, hitting journalists, human rights activists, political opponents. These cases are documented by Amnesty International, by the researchers at Palo Alto Networks (Unit 42), confirmed by Meta and added to the catalog of actively exploited flaws maintained by CISA, the US cybersecurity agency.
The attack cycle is terrifyingly simple: identify the target, stealthily send a booby-trapped image, automatic processing by the app, exploitation of the flaw, installation of the spyware, mass data theft. Zero interaction on your part.
We are talking here about fewer than 200 confirmed targets for the WhatsApp/Apple campaign. That is few. But that is exactly the problem: when it happens, it is invisible.

How a simple image becomes a weapon
WhatsApp automatically downloads and processes media to display previews. It is convenient. It is fast. And that is exactly where the problem lies.
This processing relies on complex image-decoding libraries, such as ImageIO at Apple or libimagecodec.quram.so at Samsung. Software building blocks that no one sees, but that everyone uses.
A rigged image, often in the DNG format (a RAW format used in photography), triggers a critical error in these libraries: buffer overflow, out-of-bounds write. The malicious code runs. And from that point on, your phone is no longer yours.
The concrete cases of 2025:
On Apple (iOS/macOS): a combination of two flaws - CVE-2025-55177 in WhatsApp (incomplete authorisation of linked-device sync messages) and CVE-2025-43300 in Apple ImageIO (memory corruption when processing a malicious image). The result: a zero-click attack confirmed by Meta and Amnesty International, targeting dozens to hundreds of people.
On Samsung Android: CVE-2025-21042 in Samsung's image-processing library. The LANDFALL spyware (a commercial-grade tool) was delivered through malformed DNG files sent over WhatsApp. Zero-click or near zero-click exploitation. Targets identified in Iraq, Iran, Turkey, Morocco.
These vulnerabilities were actively exploited before being fixed. The patches now exist. But the attacks took place.

The real problem is not technical. It is societal.
You can fix a flaw. You can patch a system. But you do not fix a digital culture with an update.
These attacks reveal something deeper about our relationship with the digital world. Something we refuse to see.
Freedom of expression is retreating in silence. Journalists targeted. Activists surveilled. Opponents silenced. When a simple message can compromise your phone, the fear of speaking freely sets in. This is no longer theoretical, it is documented.
We sacrificed security for convenience. We want instant previews, automatic downloads, smoothness everywhere. Without knowing it, we accepted a massive exposure. Every "convenient" feature is one more attack surface.
The most vulnerable are the least protected. In countries where WhatsApp dominates; often those where updates arrive latest, where digital literacy is weakest; the risk is greatest.
Our privacy depends on players we do not control. Meta. Libraries that are sometimes poorly audited. States or private companies that buy these tools off the shelf. Your private life is in the hands of an ecosystem you do not even see.
95 % of cybersecurity incidents have a human origin. But 95 % of the discussions stay at the technical level. There is a cognitive dissonance problem right there.
What you can do. Right now.
I am not going to give you a course in advanced cybersecurity. The first line of defence is you. And these steps are simple.
1. Disable automatic media download. This is the number one move. The one that cuts the attack vector off at the root. On Android: WhatsApp Settings → Storage and data → Media auto-download → uncheck photos. On iPhone: same logic in Settings → WhatsApp → Storage and data.
2. Update WhatsApp and your system. Every time. The 2025 fixes closed these specific flaws. But only if you installed them. An ignored update is a door left open.
3. For sensitive exchanges, consider Signal. Open source, frequent audits, open code. It is not an absolute guarantee, no tool is, but it is a notch above in terms of transparency.
4. Watch for unusual signals. A battery that drains abnormally fast. Unexplained overheating. Data consumption that spikes. Unknown apps. Your phone sometimes talks to you. Learn to listen to it.

(source: https://www.online-tech-tips.com/)

(source: https://www.gadgets360.com/)
Beyond the patches: a question of culture
In 2026, the real issue goes beyond technology. This is not an engineers' problem. It is a problem of society.
Demanding more transparency about the software components that process our data. Supporting audited open source alternatives. Pushing for NIS2 to be fully applied and reinforced in Europe. No longer accepting the idea that our digital security is a variable to be traded off against convenience.
A photo that arrives is no longer harmless. It can be a gateway to your privacy, your freedom, your personal security.
Want to know more? I recommend my book Être en cybersécurité.

Disable automatic download starting today.
Share this article. And ask yourself the question. Seriously: how far are we willing to go in sacrificing our privacy for instant convenience?
Christophe Mazzola
Sources
- CVE-2025-55177, WhatsApp Security Advisory (whatsapp.com/security/advisories/2025)
- CVE-2025-43300, Apple Security Update, macOS Sequoia 15.6.1 / iOS 18.6.2
- CVE-2025-21042, Samsung Security Maintenance Release, avril 2025
- Unit 42 / Palo Alto Networks, LANDFALL: New Commercial-Grade Android Spyware (novembre 2025)
- Amnesty International Security Lab, Confirmation des attaques ciblées WhatsApp/Apple
- CISA Known Exploited Vulnerabilities Catalog, CVE-2025-55177 & CVE-2025-21042
Questions fréquentes
What is a zero-click attack?
An attack that compromises your phone without any action on your part: all it takes is for a booby-trapped image to be received and automatically processed by an app like WhatsApp for the malicious code to run.
How can a simple image hack a phone?
WhatsApp automatically downloads and decodes media to display a preview. A rigged image, often in the DNG format, causes memory corruption (buffer overflow, out-of-bounds write) in decoding libraries such as Apple's ImageIO, which makes it possible to run malicious code.
Who was targeted by these attacks in 2025?
Journalists, human rights activists and political opponents, with fewer than 200 confirmed targets for the WhatsApp/Apple campaign. For the LANDFALL spyware on Samsung, targets were identified in Iraq, Iran, Turkey and Morocco.
How do I protect myself now?
Disable automatic media download in WhatsApp, always update the app and your system, favour Signal for sensitive exchanges, and watch for unusual signals (battery, overheating, data consumption).
Sources & méthodologie
- CVE-2025-55177, WhatsApp Security Advisory (whatsapp.com/security/advisories/2025)
- CVE-2025-43300, Apple Security Update, macOS Sequoia 15.6.1 / iOS 18.6.2
- CVE-2025-21042, Samsung Security Maintenance Release, avril 2025
- Unit 42 / Palo Alto Networks, LANDFALL: New Commercial-Grade Android Spyware (novembre 2025)
- Amnesty International Security Lab, Confirmation des attaques ciblées WhatsApp/Apple
- CISA Known Exploited Vulnerabilities Catalog, CVE-2025-55177 & CVE-2025-21042

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
