A New Zero Click WhatsApp Takeover Hijacks iPhone Accounts Running iOS 16 With No Warning, No Linked Device Prompt, and No User Interaction—Victims Only Find Out When They Are Suddenly Logged Out, and the Attacker Keeps the Account on the Original Device

Key Takeaways

• Security Affairs disclosed on May 25, 2026 a zero click WhatsApp account takeover affecting iPhones running iOS 16, with no user interaction required and no prompts shown.
• The attack bypasses WhatsApp's linked device confirmation flow, leaving the victim with no on screen warning that another session has been authorized.
• The first symptom is the victim being silently logged out of WhatsApp. The attacker continues to hold the active session on the original device.
• iOS 16 is no longer the current major iOS version. Apple released iOS 17 in September 2023 and iOS 18 in September 2024. Devices still on iOS 16 are most commonly older iPhones (iPhone 8 era and earlier) where the OS upgrade path stops at 16, plus users who chose not to update.
• The defensive answer is to update to the latest supported iOS, force log out of all WhatsApp sessions, and treat any messages sent from an unconfirmed contact during the window of compromise as untrusted.

What Is a Zero Click Account Takeover?

A zero click attack delivers a malicious payload through a channel the target device is required to process automatically. The user does not have to read a message, tap a notification, click a link, or scan a QR code. The vulnerable code is exercised before the message ever surfaces in the user interface. The phone's first opportunity to show the user anything has already passed by the time the exploit runs.

In a WhatsApp takeover context, the additional twist is that the attack output is not a remote code execution payload but a successful session enrollment. The attacker convinces the WhatsApp infrastructure that the attacker's device is a legitimate linked or replacement session for the victim's phone number. WhatsApp normally requires the user to confirm a linked device by scanning a QR code from inside the app or by entering a six digit registration code from an SMS or call. The disclosed attack bypasses both of those mechanisms while still receiving a working session token.

Once the attacker has a session token tied to the victim's phone number, the attacker has the same access the legitimate user has—chat history (for the period after enrollment, sometimes earlier if cloud backup is involved), contact list, group memberships, the ability to send and receive messages as the victim, and the ability to read the victim's two factor authentication codes that arrive over WhatsApp from any service that uses WhatsApp for OTP delivery.

Why Is iOS 16 the Affected Version?

Apple's iOS major version pattern releases a new top level number each September. iOS 16 shipped in September 2022. iOS 17 shipped September 2023. iOS 18 shipped September 2024. The relevant device population still running iOS 16 in May 2026 has two groups. The first is iPhone 8, iPhone X, and earlier devices where the supported iOS update path stops at iOS 16. The second is users on a newer device who have deferred or refused to install iOS 17 and iOS 18 updates.

The first group is large and concentrated outside the US and Western Europe. iPhone 8 series devices remain widely used as primary phones across emerging markets where the cost of replacement is the binding constraint. Many journalists, activists, and human rights workers in those regions use exactly these devices because they are affordable, well documented, and the supported software stack is mature enough to be predictable. The same devices are the population most heavily targeted by commercial spyware vendors, for the same reason.

A zero click WhatsApp takeover that targets iOS 16 specifically therefore disproportionately affects the population least able to update its way out of the threat. For an iPhone 8 owner, updating past iOS 16 is not an option without buying a new phone.

How Does the Victim Know They Have Been Compromised?

The first detectable signal in the reported cases is the victim being signed out of WhatsApp on the original device. The user opens WhatsApp expecting to see chats, sees the verify your phone number screen instead, and enters their number. WhatsApp sends a six digit code over SMS. The user enters it. The session resumes on the original device.

During the gap between sign out and re registration, the attacker has had unrestricted access. When the victim re registers, WhatsApp does not necessarily kick the attacker out, because WhatsApp's session model has long supported multi device. If the attacker enrolled their session as a linked device rather than as a replacement of the primary phone, the attacker's session can remain active even after the victim re registers.

The defensive step that catches this case is to open WhatsApp settings, navigate to Linked Devices, and check what is listed. Any session not corresponding to a device the user owns should be revoked immediately. Then change the WhatsApp two step verification PIN. Then notify contacts that the account was briefly compromised, because the attacker may have used the window to message contacts and request information.

Why Is This a Privacy Story, Not Just a Security Story?

An account takeover hands the attacker more than the messages themselves. WhatsApp accounts in 2026 are anchored to phone numbers, and the phone number is the universal identifier for a long list of other services. A successful WhatsApp takeover gives the attacker the ability to send messages that look authentic to the victim's professional and personal contact graph, which is the raw material for high quality social engineering.

The same access supports a privacy attack that has less to do with the immediate financial outcome and more to do with intelligence collection. The attacker can read every message exchanged during the window of compromise. The attacker can see group memberships, which reveal political, religious, and professional affiliations. The attacker can copy the contact list, which is a high value asset on its own. For journalists working with sources, activists coordinating with peers, or lawyers communicating with clients, any of those readings is more damaging than the financial loss.

The threat model overlaps with the threat model that the DHS ICE Paragon spyware coverage describes. A different attacker, a different delivery mechanism, but the same outcome—an external party reads the victim's messages without the victim knowing.

What Should iOS 16 Users Do Right Now?

Three concrete steps, in order of urgency:

• Update iOS if possible. Settings, General, Software Update. If the device supports iOS 17 or 18, install it. If the device's top supported iOS is 16, the only safe option is to plan a replacement to a model that supports iOS 17 or later. Apple has not announced an iOS 16 patch for this issue at the time of writing.
• Enable WhatsApp two step verification. Settings, Account, Two step verification. Set a PIN and a recovery email. This does not prevent the disclosed zero click but it adds a hurdle attackers must clear before completing an enrollment.
• Audit linked devices weekly. Settings, Linked Devices. Anything unfamiliar—log it out. Make this a calendar task. The attack class will outlive this specific incident.

For users at higher threat levels, consider enabling Apple Lockdown Mode (Settings, Privacy and Security, Lockdown Mode). Lockdown Mode disables exactly the kind of automatic protocol processing that zero click exploits depend on. The cost is some loss of normal functionality—certain message types render less richly, some web features are restricted. The benefit, repeatedly demonstrated in the field, is that several documented zero click attack chains break against a device in Lockdown Mode.

Background coverage on Lockdown Mode is in our piece on Apple's Lockdown Mode and the spyware track record.