← All articles

Forenser documents zero-click WhatsApp account takeover on iPhone iOS 16 - parallel session, no linked devices, used for wire-transfer scams

Italian digital forensics firm Forenser has documented an active zero-click WhatsApp account-takeover campaign targeting iPhone users on iOS 16. Victims (iPhone 8 through 14) reported messages requesting wire transfers being sent from their accounts to recent contacts, with no Linked Devices entries and no QR code interaction. Unified-log analysis shows continuous WhatsApp session-resync events - the signature of two endpoints competing for the same account, with the attacker bypassing the standard linked-device registration. The campaign exploits known iOS 16 vulnerabilities. Affected users do not see archived chats, suggesting the attacker has only recent-chat access. Forenser recommends upgrading to iOS 17 or later.

Check
Search MDM data for iPhones still on iOS 16. Check WhatsApp Linked Devices on possibly-affected handsets (will appear empty). Pull unified logs for continuous resync events if Forenser's IoCs apply.
Affected
iPhone users on iOS 16 (iPhone 8 through 14, including X, XR, XS, 11, SE, 12, 13). WhatsApp on these devices is susceptible to a zero-click parallel-session takeover.
Fix
Upgrade affected iPhones to iOS 17 or later immediately. Sign out and re-register WhatsApp accounts after the upgrade. Educate users to verify suspicious wire-transfer requests via a second channel.