The threat analysis is based on a 2025 privacy ranking study by Incogni, published on the Kaspersky blog, comparing popular messaging apps: Discord, Telegram, Snapchat, Facebook Messenger, and WhatsApp. The study evaluates these apps across 18 criteria, focusing on privacy settings, data collection practices, government data request compliance, and protection against unauthorized access. Discord ranks highest overall due to limited data collection and a clean record on privacy fines but has less private default settings. Telegram and Snapchat excel in privacy settings and default configurations, with Telegram collecting the least data and offering the most granular privacy controls. WhatsApp, while ranking lower overall, uniquely provides end-to-end encryption by default for all chats, a critical privacy feature not matched by Telegram. The study highlights concerns such as WhatsApp's use of chat data for AI training without opt-out options, government data request compliance rates (Snapchat at 82%, Meta services at 78%, Discord at 77.4%), and the vulnerability of desktop and third-party clients to malicious modifications. The threat lies in the potential exposure of sensitive communications through data collection, social engineering attacks, and government surveillance. The analysis emphasizes that default privacy settings and user control are crucial, as many users do not adjust settings post-installation. The study also notes that official mobile clients are more secure than desktop or modded versions, which are often targeted by attackers. Overall, the threat is a privacy and security risk stemming from app design choices, data handling policies, and user behavior, rather than a direct software vulnerability.

For European organizations, the impact of these privacy weaknesses in messaging apps can be significant. Sensitive corporate communications could be exposed through data collection practices or social engineering attacks exploiting weak default privacy settings. The lack of end-to-end encryption in some apps (e.g., Telegram by default) increases the risk of interception or unauthorized access, potentially leading to data breaches or espionage. Government data request compliance rates raise concerns about surveillance and data privacy under European data protection laws such as GDPR. Organizations using these apps for internal or external communication risk non-compliance with privacy regulations if personal or sensitive data is inadequately protected. Additionally, phishing and account hijacking risks can lead to credential theft and unauthorized access to corporate networks. The widespread use of these apps across Europe means that a large number of employees and stakeholders could be affected, increasing the attack surface. The presence of malicious third-party clients and desktop vulnerabilities further exacerbates risks. Overall, these privacy and security gaps could undermine trust, cause reputational damage, and result in financial penalties for organizations failing to safeguard communications.

European organizations should implement several targeted measures beyond generic advice: 1) Enforce the use of messaging apps with strong default privacy settings and end-to-end encryption, prioritizing WhatsApp for sensitive communications or specialized secure messaging platforms. 2) Develop and mandate privacy configuration guidelines for employees, ensuring default settings are hardened immediately after installation. 3) Prohibit the use of unofficial or third-party clients and desktop versions known to be vulnerable or maliciously modified. 4) Conduct regular user awareness training focused on phishing, social engineering, and account hijacking risks specific to messaging apps. 5) Monitor and audit app usage to detect anomalous access patterns or unauthorized data sharing. 6) Leverage endpoint security solutions that can block malicious links and phishing attempts within messaging notifications, such as Kaspersky for Android. 7) Establish clear policies on data sharing and retention in messaging apps to comply with GDPR and other privacy regulations. 8) Engage with vendors to understand their data handling and government request policies and prefer those with transparent, privacy-respecting practices. 9) Consider deploying enterprise-grade secure communication tools for highly sensitive discussions instead of consumer-grade apps. 10) Regularly review and update security policies as app privacy features evolve.