WhatsApp is facing renewed scrutiny this week following allegations in a new lawsuit that claim the messaging platform’s end-to-end encryption may not be as secure as advertised. The lawsuit, filed in San Francisco, alleges that Meta employees can access user messages despite WhatsApp encryption promises, though the company has strongly dismissed these claims as baseless. Separately, Google has issued a warning about a security vulnerability affecting Android users that allows malicious photos sent through WhatsApp to compromise devices.
According to reports, the lawsuit cites internal WhatsApp engineers as alleged whistleblowers who claim that platform staff can request access to user content to perform their duties. However, WhatsApp encryption remains intact according to the company, which states that encryption keys are stored exclusively on user devices. Meta has characterized the legal action as a frivolous, headline-seeking lawsuit brought by the same firm that previously defended NSO Group, the controversial spyware company.
WhatsApp Encryption Under Legal Challenge
The legal filing alleges that Meta’s internal teams can bypass WhatsApp encryption protections to view user messages. These claims emerged from sources described as company insiders with knowledge of the platform’s technical operations. However, no concrete technical evidence has been publicly presented to substantiate these allegations.
WhatsApp boss Will Cathcart responded forcefully to the accusations on social media. He stated that WhatsApp cannot read messages because encryption keys remain on user devices and are inaccessible to the company. Meta representatives have indicated they view the lawsuit as lacking merit and designed primarily to generate publicity.
Industry Rivals Amplify Concerns
Telegram CEO Pavel Durov quickly seized on the controversy, posting that users would have to be “braindead to believe WhatsApp is secure in 2026.” He claimed that Telegram’s analysis of WhatsApp’s encryption implementation revealed multiple attack vectors. Meanwhile, Elon Musk promoted his X Chat platform as an alternative, suggesting that even Signal’s security is questionable.
However, security experts note that neither Telegram nor X Chat implements end-to-end encryption by default across all communications. WhatsApp utilizes Signal Protocol, which is widely regarded as the industry standard for secure messaging. This messaging security standard has undergone extensive independent auditing and peer review.
Google Warns of Separate Photo Vulnerability
In addition to the encryption lawsuit, Google’s Project Zero team disclosed a critical vulnerability affecting WhatsApp on Android devices. The security flaw allows attackers to compromise a device through malicious photos sent via the platform. Notably, users do not need to interact with the message or open the attachment for the attack to succeed.
The vulnerability exploits automatic media saving features in WhatsApp. According to Google’s warning, the issue represents a zero-click attack vector that could allow malicious actors to gain unauthorized access to devices. Security researchers recommend that users disable automatic media downloads in their WhatsApp settings to mitigate this risk.
Expert Recommendations for Users
Despite the dual controversies, cybersecurity analysts continue to recommend WhatsApp for everyday messaging needs. The platform’s integration of Signal Protocol and massive user base make it a practical choice for most communications. Additionally, claims about compromised WhatsApp encryption have surfaced periodically over the years without substantiation.
For highly sensitive communications, experts suggest using Signal directly, which offers additional security protections and collects less metadata than WhatsApp. Signal’s architecture provides enhanced privacy features including sealed sender technology and minimal data retention. These features make it particularly suitable for users with elevated security requirements.
The lawsuit is expected to proceed through discovery phases where technical evidence would need to be presented. Legal observers anticipate Meta will seek dismissal of the case, though the timeline for any court decision remains uncertain.
