“`html
WhatsApp’s multi-device encryption framework has persistently exposed metadata, permitting adversaries to identify users’ device operating systems, facilitating targeted malware transmission. Recent studies underscore partial corrections by Meta, yet issues of transparency remain.
Meta’s WhatsApp, boasting more than 3 billion monthly active users, employs end-to-end encryption (E2EE) for message protection; however, its multi-device functionality discloses device details.
In this configuration, senders create distinct sessions with every recipient device, utilizing unique encryption keys produced on the device itself rather than on servers.
Discrepancies in key IDs, such as Signed Pre-Key (Signed PK) and One-Time Pre-Key (OTPK), disclose whether a device operates on Android or iOS, which is vital for reconnaissance in cyber attack chains.
Adversaries exploit this passively by querying WhatsApp servers for session keys without user engagement, discerning OS types to implement tailored exploits and Android malware to Android devices while evading iOS or alerting victims.
Research conducted in early 2024 by Tal A. Be’ery at WOOT’24 uncovered leaks regarding device quantity, categories, and identities through per-device sessions utilizing Signal’s protocol.
Later that same year, attackers accurately identified particular devices for exploiting. In 2025, Gabriel Karl Gegenhuber et al. at WOOT’25 elaborated on OS fingerprinting: Android Signed PK IDs increase gradually from 0 monthly, while iOS patterns fluctuate significantly.
Tal A. Be’ery confirmed this with custom tools, validating that attackers connect these leaks: detect OS, deliver OS-specific payloads covertly.
WhatsApp’s Silent Correction
Recently, WhatsApp adjusted the assignment of Android Signed PK IDs to random values across the 24-bit range, impairing that vector. This modification, identified through monitoring tools, signifies a departure from Meta’s earlier position, which dismissed it as non-actionable.
Nevertheless, OTPK remains identifiable: iOS starts low and increases every few days, contrasted with Android’s complete random range. Post-fix tools still effectively discern the OS.
This enables advanced persistent threats (APTs) to utilize WhatsApp as a conduit for malware, as evidenced in the Paragon spyware instances. No user alerts occur during inquiries, thus maintaining stealth.
Critics point out that the implementation lacked notifications for researchers, bug bounties, or CVE assignments, in contrast to a similar concern where a bounty was issued without a CVE. CVEs catalog issues via CVSS scores, not stigma; such omissions complicate tracking.
While remedies develop, comprehensive randomization across platforms and CVE transparency would enhance protection for billions, enabling community cooperation. Users should restrict linked devices and observe activity amid ongoing hazards.
“`