WhatsApp, Meta’s messaging app with over 3 billion monthly active users, has begun introducing technical changes to mitigate several privacy vulnerabilities on user devices . The fixes, identified through independent research tools, were implemented without official announcement and are currently only partial.
The problem concerns so-called device fingerprinting, a technique that allows an attacker to deduce sensitive information such as the operating system used by the victim.
While end-to-end encryption protects the contents of messages, some design choices in the multi-device protocol expose metadata that is useful in the reconnaissance phase of a cyberattack.
In cyberespionage or targeted malware distribution operations, the reconnaissance phase is crucial. Knowing in advance whether a victim is using Android or iOS allows attackers to deploy compatible exploits, reducing the risk of errors that could compromise valuable zero-day vulnerabilities or complex and expensive infrastructure.
In early 2024, independent researchers documented how WhatsApp’s multi-device E2EE protocol allowed them to distinguish individual devices associated with an account due to the use of separate cryptographic sessions for each device . Subsequent analyses showed how these sessions could be exploited to selectively target a user’s specific device.
In 2025, a study by Gegenhuber and colleagues demonstrated that these differences are not limited to the device’s identity, but also allow for its complete digital fingerprinting, including the precise identification of the operating system. This information can be obtained by querying WhatsApp servers, without any direct interaction with the victim’s device and therefore without the user’s knowledge.
Using a proprietary analysis tool, researchers recently observed a change in Android’s cryptographic identifier management logic. Previously, some parameters were initialized with predictable incremental values; now, at least on Android, these values are randomly assigned.
This change represents the first sign of WhatsApp addressing a long-standing issue, initially not considered relevant from a privacy perspective. However, the distinction between Android and iPhone is highly likely still possible, as iOS continues to use a different initialization logic, based on gradual increases.
The issue of transparency also remains open.
The fixes were applied without formally notifying the researchers who reported the vulnerabilities, without assigning a CVE, and in some cases, without adequate bug bounty recognition.
According to the authors of the research, a more structured and open collaboration with the security community would help improve user protection on a global scale.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
