Meta has begun implementing mitigations in WhatsApp to reduce device fingerprinting risks that expose user metadata, particularly indicators that allow attackers to infer a user’s operating system.

The issue is significant because advanced spyware campaigns often rely on operating system identification during reconnaissance to deploy tailored zero-day exploits. While Meta has taken initial steps—most notably on Android—the mitigations are partial, and researchers say OS fingerprinting remains feasible under certain conditions.

The situation highlights the tension between practical security risk, privacy exposure, and how platforms prioritize and communicate fixes.

WhatsApp’s scale—approximately three billion users—makes it an attractive target for high-end surveillance actors.

In recent years, spyware vendors have repeatedly abused messaging platforms as delivery vectors, often using zero-click vulnerabilities that require no user interaction. These exploits are rare, expensive, and strategically valuable, with full exploit chains reportedly commanding prices near $1 million.

Before deploying such exploits, attackers typically perform reconnaissance to determine the victim’s device type and operating system, ensuring the payload matches the target environment.

Security researchers demonstrated that attackers could infer WhatsApp users’ operating systems using only a phone number.

The technique required no interaction from the target and left no visible trace. By analyzing predictable values in encryption key identifiers, attackers could determine the primary device, the OS of linked devices, device age, and whether WhatsApp was accessed via mobile or web.

One of the lead researchers was Tal Be’ery, co-founder and CTO of Zengo. Be’ery reported the issue to Meta over an extended period before seeing visible remediation.

The fingerprinting technique exploited predictable initialization patterns in WhatsApp’s cryptographic key identifiers.

Android and iOS handled these values differently, allowing attackers to distinguish platforms with high confidence. Be’ery developed a private tool demonstrating the issue and later observed that WhatsApp had begun randomizing certain key values on Android.

However, iOS behavior remains distinct, as its identifiers initialize at low values and increment slowly. This difference continues to enable OS inference despite recent changes.

According to Be’ery, fully randomizing these fields across all platforms would eliminate the fingerprinting vector entirely.

On its own, OS fingerprinting is generally considered a low-severity issue.

However, its value increases significantly when paired with a WhatsApp zero-day exploit, enabling precise payload delivery. In such scenarios, metadata exposure becomes a critical enabler rather than a standalone threat.

The lack of user visibility into these changes also raises transparency concerns, as mitigations were deployed quietly without public advisories or CVE tracking.

This case illustrates how metadata leaks can act as force multipliers for advanced threats.

Even when a vulnerability does not directly enable compromise, it can materially improve attacker efficiency and success rates. At global scale, small design decisions can have outsized security and privacy consequences.

It also underscores ongoing challenges in coordinated disclosure, severity classification, and researcher-vendor communication.

WhatsApp acknowledged that it has been hardening its platform against device fingerprinting, but emphasized that OS inference is common across many technologies and typically rated low severity.

Meta noted that Be’ery’s report contributed to fixing a related issue and improving internal bug bounty triage. A bounty was awarded, and Meta reports paying over $25 million through its program, including $4 million in 2025.

Meta also highlighted broader anti-spyware efforts, including disruption campaigns and legal action—most notably its successful lawsuit against NSO Group, which remains under appeal.