Silent Call, Full Compromise: Inside the WhatsApp Zero-Day Voice Exploit Targeting Banking Customers

Aegiron 10 mins0

Incident Overview

On January 12, 2026, cybersecurity authorities in the UAE issued a high-priority warning to banking customers and several regulated institutions after identifying a critical zero-day flaw in WhatsApp. The issue allowed attackers to compromise smartphones remotely using nothing more than a single WhatsApp voice call.

What made the situation particularly serious was that the exploit required no user interaction. Victims did not need to answer the call, click anything, or even notice it. In many reported cases, the call rang briefly or appeared as a missed call before disconnecting, while the compromise had already taken place in the background.

The activity was assessed as targeted rather than random, with a clear focus on individuals connected to financial services, including bank customers, executives, and high-value account holders.

What Actually Happened

Threat actors uncovered a flaw in WhatsApp’s voice calling implementation that allowed them to inject malicious data during the call setup phase. By abusing how the app handled voice call signaling traffic, attackers were able to trigger memory corruption inside the WhatsApp process.

Once the malicious call was received, WhatsApp processed the attacker-controlled data automatically. This resulted in the execution of attacker-supplied code on the victim’s device, effectively giving the attacker control without alerting the user.

From that point forward, the attacker could silently deploy spyware, monitor communications, steal sensitive data, and maintain ongoing access to the device.

How the Attack Worked

1. Initial Entry Point

The only entry point required was an incoming WhatsApp voice call. The attacker used a modified or custom WhatsApp client capable of sending malformed call signaling data.

Key characteristics of the attack vector:

  • Delivered via WhatsApp VoIP functionality
  • No authentication required
  • No user interaction required
  • Exploit triggered before call acceptance

This meant traditional user awareness defenses were completely bypassed.

2. Vulnerability Details

The vulnerability itself was classified as a previously unknown (zero-day) memory handling flaw within WhatsApp’s voice call processing logic.

The issue manifested as one or more of the following:

  • Heap buffer overflow
  • Use-after-free condition
  • Out-of-bounds memory write

The flaw occurred while WhatsApp parsed call metadata and session information, not during audio playback. As a result, the exploit triggered during the call setup stage, making it extremely reliable and difficult to detect.

3. Payload Execution Flow

Once memory corruption was achieved, the attackers executed a multi-stage payload designed for stealth and persistence.

Stage One – In-Memory Loader
The first-stage shellcode ran entirely in memory inside the WhatsApp process. No files were written to disk at this point, which helped the attackers evade mobile security tools.

Stage Two – Payload Expansion
The loader contacted attacker-controlled infrastructure to retrieve additional components. Communications were encrypted and designed to blend in with legitimate WhatsApp traffic patterns.

Stage Three – Persistence and Control
Depending on the device type, operating system version, and patch level, the malware used different persistence techniques, including:

  • Abuse of accessibility services on Android
  • Misuse of mobile device management mechanisms
  • Configuration profile abuse
  • Chaining with additional OS-level privilege escalation flaws on vulnerable devices

Malware Payload Capabilities

The deployed payloads were modular and could be updated remotely. Observed capabilities included:

  • Extraction of WhatsApp messages and attachments
  • Access to SMS and email content
  • Call history retrieval and live call recording
  • Remote microphone activation
  • Camera access for image capture
  • Contact list harvesting
  • Interception of one-time passwords
  • Credential theft targeting banking applications
  • Clipboard monitoring

The malware was heavily obfuscated and frequently recompiled, resulting in constantly changing file hashes and minimal overlap with known malware signatures.

Affected Devices and Platforms

Operating Systems

  • Android devices were the most affected, especially those running older security patch levels
  • iOS exploitation was confirmed in limited cases, primarily on older versions

Device Scope

  • Smartphones only
  • No confirmed impact on desktop or web-based WhatsApp clients

Impacted Sectors

Primary Impact

  • Retail banking customers
  • Private banking and wealth management clients
  • Senior executives and decision-makers

Secondary Impact

  • Government personnel
  • Legal professionals
  • Journalists
  • Security researchers

While banks themselves were not directly breached, compromised customer devices enabled attackers to bypass fraud controls, intercept authentication codes, and perform account takeover activities.

Indicators of Compromise (IOCs)

Device-Level Signs

  • WhatsApp crashing shortly after a missed or dropped call
  • Noticeable battery drain without heavy usage
  • Increased mobile data consumption while idle
  • Device overheating
  • Accessibility services enabled without user action

Network Indicators

  • Encrypted outbound traffic appearing shortly after WhatsApp calls
  • Connections to newly created or low-reputation domains
  • Short, repeated HTTPS sessions mimicking legitimate app behavior

Application Behavior

  • WhatsApp remaining active in the background for extended periods
  • Unexpected permission changes
  • Signs of sandbox escape on rooted or jailbroken devices

Why Mobile Antivirus Often Missed It

Traditional mobile security tools were largely ineffective against this attack because:

  • The exploit executed entirely in memory
  • No malicious files were initially written to disk
  • Payloads were polymorphic and frequently changed
  • Legitimate system services were abused
  • Command-and-control traffic was encrypted and blended with normal traffic

Signature-based detection methods provided little protection in this scenario.

Timeline of Events

  • Late 2025: Vulnerability discovered and weaponized by threat actors
  • Early January 2026: Targeted exploitation begins
  • January 12, 2026: UAE authorities issue public warnings
  • Following days: Emergency server-side mitigations deployed
  • Subsequent weeks: Application and OS patches released

Response and Mitigation Measures

WhatsApp Actions

  • Immediate server-side filtering of malformed call traffic
  • Blocking of known exploit patterns
  • Silent backend mitigations to reduce exposure
  • Accelerated patch development and release

Authority and Industry Response

  • Public advisories issued
  • Direct notifications sent to banking customers
  • Threat intelligence shared with financial institutions and SOC teams

Guidance Provided to Users

Users were advised to:

  • Update WhatsApp immediately
  • Install the latest OS security updates
  • Temporarily disable WhatsApp calls if possible
  • Monitor financial accounts for suspicious activity
  • Reset devices if compromise was suspected
  • Avoid answering calls from unknown WhatsApp numbers

Why This Incident Is Significant

This incident highlighted several critical realities:

  • Trusted applications can become high-risk attack surfaces
  • Zero-click exploits are increasingly practical and effective
  • Mobile antivirus solutions have clear limitations
  • Financial ecosystems are being targeted indirectly through consumers

It stands out as one of the most serious mobile VoIP zero-day incidents observed, combining stealth, technical sophistication, and clear financial motivation.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.