Meta has announced a new security feature for WhatsApp called Strict Account Settings, a Lockdown-Style Security Mode aimed at protecting users who are at heightened risk of targeted cyberattacks, particularly from sophisticated spyware. This mode is designed for individuals such as journalists, activists, and public-facing figures who may be targeted due to their profession or public visibility. When enabled, the mode locks the account to the most restrictive privacy settings, including automatically blocking attachments and media from unknown contacts, silencing calls from unknown numbers, and restricting other app functionalities that could be exploited. This approach mirrors similar protections found in Apple’s iOS Lockdown Mode and Android’s Advanced Protection Program, which trade some usability for enhanced security. The feature is accessible through WhatsApp’s Settings > Privacy > Advanced menu and is being rolled out gradually on Android and iOS devices. In parallel, Meta is transitioning WhatsApp’s media sharing functionality to use Rust, a memory-safe programming language, to mitigate memory safety vulnerabilities inherent in legacy C and C++ codebases. This transition includes implementing control flow integrity (CFI), hardened memory allocators, and safer buffer handling APIs to reduce the risk of exploitation via memory corruption bugs. Although no known exploits are currently active in the wild, this proactive defense-in-depth strategy aims to protect users from zero-click and other advanced spyware attacks that have historically targeted high-profile individuals. The feature’s introduction reflects an industry trend toward stronger, user-focused security controls to counter increasingly sophisticated cyber threats.

For European organizations, especially those with employees in journalism, human rights advocacy, government, or other sensitive public roles, this feature significantly reduces the risk of targeted spyware infections via WhatsApp. Spyware attacks often lead to severe confidentiality breaches, exposing sensitive communications and personal data. By enforcing strict privacy controls and reducing attack surface through blocking unknown attachments and calls, the Lockdown-Style Security Mode can prevent initial infection vectors used by advanced persistent threats (APTs). The adoption of Rust for media handling further mitigates risks from memory corruption vulnerabilities, which are common exploitation vectors. This is particularly important for European entities subject to stringent data protection regulations like GDPR, where data breaches can result in heavy fines and reputational damage. However, the trade-off in functionality may impact user experience, requiring organizational awareness and training. Overall, this feature enhances resilience against spyware campaigns that have increasingly targeted European civil society and media sectors amid geopolitical tensions.

European organizations should proactively encourage or mandate enabling WhatsApp’s Lockdown-Style Security Mode for employees in high-risk roles, such as journalists, legal professionals, and public officials. This can be integrated into mobile device management (MDM) policies or security awareness programs. Additionally, organizations should audit WhatsApp usage policies to ensure users understand the trade-offs in functionality and the importance of restricting communications to known contacts. IT teams should monitor WhatsApp updates and ensure devices are running the latest versions to benefit from the Rust-based security improvements. Complementary measures include enforcing endpoint security solutions capable of detecting spyware behavior, conducting regular threat hunting for signs of compromise, and educating users about phishing and social engineering tactics that could bypass these protections. Finally, organizations should consider alternative secure communication tools with similar hardened security modes for the most sensitive communications, ensuring layered defense strategies.