Meta has begun rolling out changes to address WhatsApp weaknesses that expose user metadata, following research showing that attackers can fingerprint a user’s device operating system. While initial mitigations are in place, fully eliminating these identifiers remains a challenge.
WhatsApp, with roughly 3 billion users, is an attractive delivery channel for sophisticated spyware. Threat actors often rely on zero-day vulnerabilities to deliver malicious payloads without requiring any user interaction. These flaws may exist within WhatsApp itself or in third-party components leveraged by the app.
Spyware campaigns uncovered in 2025, including attacks involving Paragon spyware, demonstrated how such zero-days could be abused to target dozens of users.
Because WhatsApp zero-days are both rare and valuable, full exploit chains can command prices of around $1 million, attracting interest from both attackers and defenders.
Before deploying spyware, attackers must determine the target’s operating system to deliver a compatible payload. Researchers have shown that this reconnaissance step can be completed using only a phone number, without alerting the victim or requiring any interaction.
Over the past two years, researchers demonstrated that WhatsApp metadata can be used to infer a user’s primary device, the operating systems of linked devices, device age, and whether WhatsApp is accessed via a mobile app or desktop browser. This inference is possible due to predictable encryption key ID values generated by the application.
One of the researchers involved, Tal Be’ery, co-founder and CTO of the Zengo cryptocurrency wallet, reported these findings to Meta. For an extended period, no visible action followed.
Be’ery later developed a device fingerprinting tool for WhatsApp. While the tool is not publicly available, it recently revealed that Meta has begun randomizing key ID values on Android, limiting fingerprinting accuracy on that platform.
In a blog post published Monday, Be’ery showed that device fingerprinting is still possible, though he praised Meta for acknowledging the issue and taking corrective steps.
According to Be’ery, attackers can still reliably distinguish Android from iPhone devices based on differences in how One-Time Public Key IDs are generated. iPhones initialize these values at low numbers and increment them gradually, while Android uses a broader random range.
He suggested that the changes represent an initial step toward a broader fix that could eventually eliminate the fingerprinting issue across all platforms.
While welcoming the progress, Be’ery criticized the silent rollout, noting that users remain unaware of the changes. He also called for improved communication with researchers, clearer CVE assignment practices, and more transparent bug bounty handling.
WhatsApp told SecurityWeek that it continues to focus on protecting users against a wide range of attack vectors while maintaining service reliability. The company confirmed it has been hardening its platform, including defenses against device fingerprinting.
However, WhatsApp emphasized that operating system inference is generally considered low severity, citing several factors:
* Device fingerprinting is not unique to WhatsApp and exists across many platforms
* Operating systems often expose identifiers to improve user experience
* OS inference results from fundamental differences in platform design
* The security impact is limited without an accompanying zero-day exploit
* Such issues typically do not meet the threshold for CVE assignment
WhatsApp noted that the issues reported by Be’ery did not meet its internal severity criteria. Nonetheless, the report helped identify and fix a separate issue related to invalid message handling, and Be’ery received a bug bounty for that contribution.
Meta stated that it has paid $25 million in bug bounties since launching its program, including $4 million in 2025.
The company also highlighted ongoing security improvements, including the WhatsApp Research Proxy, which aids protocol analysis, and broader efforts to counter spyware through disruptions, information sharing, user awareness, and legal action.
Last year, Meta won a lawsuit against NSO Group, resulting in an order barring the spyware vendor from targeting WhatsApp and imposing significant financial penalties. NSO has since filed an appeal.
