WhatsApp, a global messaging platform, has issued a security alert after uncovering a spyware campaign that tricked users into downloading a fake version of its app.
The Meta-owned platform said it had notified about 200 users who were targeted in the attack, which involved a fake WhatsApp application embedded with malicious surveillance software. The app was designed to closely mimic the official interface, enabling attackers to infiltrate devices and potentially gain access to sensitive personal data.
According to WhatsApp, the campaign appeared to be highly targeted, with the majority of affected users located in Italy. The company linked the operation to an Italian surveillance technology firm, raising fresh concerns over the misuse of commercial spyware tools by private companies and state-linked actors.
The company noted that the malicious application was not distributed through official app stores. Instead, it was installed through unofficial channels, likely using techniques that bypass standard smartphone security protections.
In response, WhatsApp said it has taken steps to contain the threat and is working with platform providers to limit further spread of the spyware. The company also urged users to download applications only from trusted sources, such as official app stores, and to avoid clicking on suspicious links or prompts that encourage external downloads.
The incident highlights a growing trend of increasingly sophisticated cyberattacks targeting messaging platforms, underscoring persistent risks to user privacy and data security across the digital ecosystem.
As messaging apps continue to serve as primary channels for communication, financial transactions, and information sharing, they are becoming more attractive targets for threat actors seeking to exploit vulnerabilities through deceptive tactics such as fake applications and social engineering.
The development also points to the evolving nature of cyber threats, where attackers are deploying more advanced and targeted methods to bypass security safeguards and gain unauthorised access to sensitive user data.
