UAE urges vigilance as WhatsApp flaw threatens accounts

UAE authorities and major lenders have warned customers to stay on high alert after disclosures of a dangerous WhatsApp security flaw that can allow attackers to compromise smartphones through a single call, exposing banking credentials, personal data and private communications.

Advisories circulated by banks and cyber security teams say the vulnerability exploits the way WhatsApp handles voice calls, enabling so-called zero-day or zero-click attacks that do not require the victim to answer the call or tap a malicious link. Once triggered, attackers may gain deep access to a device, opening the door to credential theft, surveillance and unauthorised financial transactions.

The warnings underline growing concern in the Emirates over the use of widely trusted messaging platforms as entry points for financial crime. Banks told customers to treat unexpected WhatsApp calls with suspicion, avoid sharing one-time passwords, and ensure devices are updated with the latest security patches. Several institutions said fraud teams had stepped up monitoring for unusual account activity linked to compromised phones.

Cyber security specialists familiar with the advisory say the attack method reflects a broader trend in mobile exploitation, where sophisticated actors focus on zero-click vulnerabilities that bypass user awareness altogether. Unlike phishing messages or fraudulent links, these exploits leave little trace and can be difficult for victims to detect until financial or privacy damage is already done.

WhatsApp has previously acknowledged and patched similar flaws affecting its calling feature, including vulnerabilities exploited by advanced spyware vendors. While the company regularly issues security updates, the UAE alerts suggest concern that some users may still be running older versions of the app or delaying system updates, leaving devices exposed.

Officials involved in consumer protection say the risk is magnified in a market where WhatsApp is deeply embedded in daily communication, from family chats to business and banking interactions. Attackers can blend malicious calls into normal traffic, increasing the likelihood that a device is silently targeted.

Banks have stressed that they do not request sensitive information over WhatsApp and urged customers to rely only on official apps and verified channels for transactions. Customers were advised to enable device-level protections such as app permissions controls, call screening features and multi-factor authentication on financial apps.

The alert comes against a backdrop of rising digital fraud across the Gulf, driven by higher smartphone usage, expanding mobile banking and the availability of advanced hacking tools. Security firms operating in the region report that zero-day exploits, once largely associated with state-level espionage, are increasingly being adapted for financially motivated crime.

Industry analysts say the economic stakes are significant. A single compromised device can provide access not only to banking apps but also to email accounts, cloud storage and corporate systems, creating cascading risks for individuals and employers. For expatriate workers and small business owners, unauthorised transfers or identity theft can have severe consequences.

UAE cyber security officials have framed the warning as part of a wider push to raise digital hygiene standards among consumers. Public campaigns over the past year have focused on scam calls, fake investment schemes and impersonation fraud, with authorities emphasising shared responsibility between platforms, banks and users.

Technology policy observers note that zero-day vulnerabilities present a particular challenge for regulators, as they can be exploited before vendors release fixes. This places greater emphasis on rapid disclosure, prompt patching and user awareness, rather than reliance on after-the-fact recovery.