Sunday, June 15, 2025
Latest:
The Register

Apple fixes zero-click exploit underpinning Paragon spyware attacks

TH Author

Apple has updated its iOS/iPadOS 18.3.1 documentation, confirming it introduced fixes for the zero-click vulnerability used to infect journalists with Paragon’s Graphite spyware.

The infections were confirmed when two journalists approached spyware researchers at The Citizen Lab after receiving notifications from Apple in April that they were targeted by spyware.

The researchers looked under the hoods of the reporters’ phones, confirming the same. Apple has since assigned the zero-day vulnerability CVE-2025-43200 (7.5), saying it was addressed with improved checks.

surveillance

Paragon spyware deployed against journalists and activists, Citizen Lab claims

READ MORE

“A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link,” it said in the update. “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”

The details of the patch were added this week for the first time, despite version 18.3.1 and its documentation being released in February. The two journalists are thought to have been infected between January and February while running iOS version 18.2.1.

The Citizen Lab claimed it had determined with “high confidence” that the attacks were carried out by the same group. One of the journalists involved wished to remain anonymous, while the other, a reporter for Italian newsite Fanpage.it, Ciro Pellegrino, was happy to be identified.

Francesco Cancellato is Pellegrino’s editor at the online newspaper, which recently attracted attention for an undercover exposé into the youth group of Italy’s rightwing Fratelli d’Italia. Cancellato said he also received a notification in January that he was targeted by spyware. 

However, this notification came from WhatsApp, said Cancellato, who was using an Android-based phone, and researchers weren’t able to confirm an infection due to the state of the device’s logs.

“Following Mr Cancellato’s case, the identification of a second journalist at Fanpage.it targeted with Paragon suggests an effort to target this news organization,” said The Citizen Labs’ Bill Marczak and John Scott-Railton. “This appears to be a distinct cluster of cases that warrants further scrutiny.”

The WhatsApp notifications were sent to around 90 users – journalists and activists, including Cancellato – and Apple’s alerts in April spanned users across 100 countries.

Zero-click attacks are not unheard of with spyware and have been seen in action, and later patched, from the likes of NSO Group’s Pegasus spyware

The Citizen Lab said it believes the latest Paragon infections were likely invisible to the victims, and mobile security experts at Jamf said Graphite is an exceptionally tricky strain of spyware.

“What makes Graphite especially dangerous is its ability to operate covertly in memory, often leaving minimal artefacts on disk,” said Jamf’s senior security strategy manager Adam Boynton. 

“It is capable of creating system-level impersonations – for example, registering hidden iMessage accounts or spoofing security features – to conceal its presence from both the user and standard detection tools. These tactics make traditional mobile security models insufficient on their own.”

The Italian government confirmed on Monday that it terminated its contract with the Israeli spyware slinger Paragon in a bid to end the ongoing spyware scandal. 

The decision came after a parliamentary security committee (COPASIR) published a report [PDF, in Italian] acknowledging that seven individuals in Italy had been infected with Graphite. 

Among those seven was Cancellato, but like The Citizen Lab, it could not say with confidence who was behind the attack on the journalist.

The Citizen Lab had previously confirmed infections with two other individuals named in the report, Luca Casarini and Dr Giuseppe Caccia – co-founders of human rights group Mediterranea Saving Humans.

COPASIR’s report notes that the government opened contracts with Paragon in 2023 and 2024, and claims that intelligence services used the spyware sparingly. 

Only a small number of people were investigated, and were done so on grounds such as potential terrorism, immigration, spying, and other suspected crimes.

Victims of spyware are advised to contact organizations such as Access Now, Amnesty International’s Security Lab, and The Citizen Lab, which have teams dedicated to helping individuals work through their cases.

Boynton also suggested iPhone users keep updating their devices and turning on Lockdown Mode, which trades some fundamental iOS functionality in return for greater protection from spyware strains and the exploits that enable them. ®

READ MORE HERE