WHATSAPP has told roughly 200 users that they were duped into installing a counterfeit iOS version of the messenger that carried spyware, the company said in a statement. The fake app was distributed outside the official Apple App Store and relied on social engineering to convince targets to tap download links sent via message or email.
The malicious client was not signed by Apple and could only be installed after users accepted an unsigned profile or followed a direct link to an external server, according to reports according to reports. Once opened, the spyware could harvest message contents, contact lists, location data and microphone input, though WhatsApp stressed that the flaw was not in its own code and that end‑to‑end encryption remained intact for genuine users. No CVE identifier has been assigned to this activity because the issue resides in the counterfeit binary rather than the official client.
WhatsApp tied the campaign to Asigint, an Italian subsidiary of the spyware vendor SIO, which had previously been linked to a set of fraudulent Android apps posing as WhatsApp and other services in December 2025 which had previously been linked. The company described the activity as highly targeted and part of a broader investigative effort that may involve law enforcement agencies in Europe. Analysts note that the focus on Italian users suggests a specific intelligence‑gathering objective rather than a broad criminal scheme.
After discovering the compromise, WhatsApp logged out the affected accounts, advised owners to delete the bogus application and reinstall the official version from the App Store, and said it is pursuing legal steps against Asigint and said it is pursuing legal steps. The firm also confirmed that it has contacted Italian authorities to assist with any potential investigation into the spyware’s deployment. Users who followed the guidance were told to monitor their devices for any signs of lingering compromise.
Users should only install software from official marketplaces, verify the developer name matches WhatsApp LLC, and check for any unfamiliar configuration profiles in the device settings official marketplaces. Enabling two‑factor authentication on the WhatsApp account and reviewing recent login activity can help detect unauthorized access. Monitoring for unexpected battery drain or unusual network traffic may reveal the presence of spyware, and any suspicious app should be removed immediately. Keeping the iOS operating system up to date reduces the chance that outdated security controls will be bypassed by malicious configuration profiles.
WhatsApp reiterated that the end‑to‑end encryption of its genuine apps protects the content of messages and that the incident did not weaken that guarantee, urging anyone who encounters a suspect version to report it through the app’s support channels urging anyone who encounters a suspect version to report it.