Report Problem
Switzer.com.au Switzer Report Switzer Advisory

Switzer

Daily News for Informed Investors

Wednesday, 25 February 2026

Home Tech Can Israel hack WhatsApp? A cyber expert explains
Tech

Can Israel hack WhatsApp? A cyber expert explains

Even though WhatsApp has strong security features, it isn’t impenetrable.

David Tuffley
David Tuffley
June 19, 2025

Earlier today, Iranian officials urged the country’s citizens to remove the messaging platform WhatsApp from their smartphones. Without providing any supporting evidence, they alleged the app gathers user information to send to Israel.

WhatsApp has rejected the allegations. In a statement to Associated Press, the Meta-owned messaging platform said it was concerned “these false reports will be an excuse for our services to be blocked at a time when people need them most”. It added that it does not track users’ location nor the personal messages people are sending one another.

It is impossible to independently assess the allegations, given Iran provided no publicly accessible supporting evidence.

But we do know that even though WhatsApp has strong privacy and security features, it isn’t impenetrable. And there is at least one country that has previously been able to penetrate it: Israel.

3 billion users

WhatsApp is a free messaging app owned by Meta. With around 3 billion users worldwide and growing fast, it can send text messages, calls and media over the internet.

It uses strong end-to-end encryption meaning only the sender and recipient can read messages; not even WhatsApp can access their content. This ensures strong privacy and security.

Advanced cyber capability

The United States is the world leader in cyber capability. This term describes the skills, technologies and resources that enable nations to defend, attack, or exploit digital systems and networks as a powerful instrument of national power.

But Israel also has advanced cyber capability, ranking alongside the United Kingdom, China, Russia, France and Canada.

Israel has a documented history of conducting sophisticated cyber operations. This includes the widely cited Stuxnet attack that targeted Iran’s nuclear program more than 15 years ago. Israeli cyber units, such as Unit 8200, are renowned for their technical expertise and innovation in both offensive and defensive operations.

Seven of the top 10 global cybersecurity firms maintain R&D centers in Israel, and Israeli startups frequently lead in developing novel offensive and defensive cyber tools.

A historical precedent

Israeli firms have repeatedly been linked to hacking WhatsApp accounts, most notably through the Pegasus spyware developed by Israeli-based cyber intelligence company NSO Group. In 2019, it exploited WhatsApp vulnerabilities to compromise 1,400 users, including journalists, activists and politicians.

Last month, a US federal court ordered the NSO Group to pay WhatsApp and Meta nearly US$170 million in damages for the hack.

Another Israeli company, Paragon Solutions, also recently targeted nearly 100 WhatsApp accounts. The company used advanced spyware to access private communications after they had been de-encrypted.

These kinds of attacks often use “spearphishing”. This is distinct from regular phishing attacks, which generally involve an attacker sending malicious links to thousands of people.

Instead, spearphishing involves sending targeted, deceptive messages or files to trick specific individuals into installing spyware. This grants attackers full access to their devices – including de-encrypted WhatsApp messages.

A spearphishing email might appear to come from a trusted colleague or organisation. It might ask the recipient to urgently review a document or reset a password, leading them to a fake login page or triggering a malware download.

How to protect yourself from ‘spearphishing’

To avoid spearphishing, people should scrutinise unexpected emails or messages, especially those conveying a sense of urgency, and never click suspicious links or download unknown attachments.

Hovering the mouse cursor over a link will reveal the name of the destination. Suspicious links are those with strange domain names and garbled text that has nothing to do with the purported sender. Simply hovering without clicking is not dangerous.

Enable two-factor authentication, keep your software updated, and verify requests coming through trusted channels. Regular cybersecurity training also helps users spot and resist these targeted attacks.The Conversation

David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

David Tuffley

David Tuffley

David Tuffley is an internationally recognized thought leader on the social impacts of technology. His diverse expertise spans software engineering, cybersecurity, ethics, futurism, and communication. David’s research and writings on how emerging technologies like AI will transform employment and society have reached over 2.5 million readers globally. He is a regular contributor to mainstream media, a sought-after speaker, and an inspirational educator guiding the next generation of technologists and leaders. David’s professional accomplishments range from publishing 80+ non-fiction books to being a sought-after "techsplainer" on national and international radio/TV. David regularly visits Berlin and Silicon Valley to study the mechanisms of global innovation. With decades of experience across academia, research, industry, and government, David is well positioned to engage with organizations worldwide on projects at the intersection of technology, ethics, policy, and society. David is a Senior Lecturer in Applied Ethics and CyberSecurity at Griffith University's School of ICT in Brisbane/Gold Coast. He is also a Senior Fellow of the Higher Education Academy. David's formal qualifications include a PhD (Software Engineering), M Phil (Information Systems), Graduate Certificate in Higher Education (Griffith University), Bachelor of Arts (Psychology, English Literature, Anthropology) (Queensland). David has published 70+ articles in The Conversation, with republication in the Fairfax and News Ltd press in Australia and newspapers like the Washington Post and Chicago Tribune in the U.S. His articles have reached over 2.5 million readers and been translated into German, Chinese, Hindi, Indonesian and Japanese. David also has over 60 peer reviewed academic articles. Among several other high-profile events, David was a guest panelist in the 2017 World Science Festival, and guest speaker at the 2019 Festival. David spends a month each January since 2016 at Humboldt University in Berlin, the high technology capital of eastern Europe, and San Jose/San Francisco where he studies innovation culture with a view to fostering same in South East Queensland. Outside of academia, David writes commercial non-fiction on a broad range of topics; from Comparative Religion, Anthropology, Psychology, Ancient and Modern History, Linguistics, Rhetoric, Philosophy, Architectural History, Environments and Ecosystems. With over 80 non-fiction titles in print and eBook and millions of verified downloads, David is a non-fiction author of international significance. Beyond the English-speaking world, his non-fiction books have been translated into Mandarin, German and Japanese. David is Director and Founder of Altiora Publications. Established in 1993, Altiora is one of the oldest book-sellers on the Web, pre-dating Amazon by several years. Altiora's Software Engineering project management titles have been selling continuously since 1994. Altiora offers its titles at reasonable rates for both print and eBook versions to make them accessible to low-income readers for whom the high price of books is a barrier. See http://www.altiorapublications.com/ See author Bio at Amazon: https://amzn.to/44g4gAw David's PhD thesis is titled "A Design Research approach to developing a Process Reference Model for Software Engineering" and it was submitted to Griffith University in 2009. The key findings of his thesis are: - Proposed a new method for developing a process reference model for software engineering, based on the design research paradigm. A process reference model is a set of best practices that can be used to guide and improve software development processes. - Applied this method to create a process reference model for agile software engineering, which is a popular and effective approach to software development that emphasizes flexibility, collaboration, and customer satisfaction. He used the ISO/IEC 12207 standard as a framework and incorporated the principles and practices of agile methods such as Scrum, Extreme Programming, and Lean Software Development. - Evaluated his process reference model using a case study of a software development project in a large Australian organization. He collected data from interviews, surveys, observations, and documents, and analyzed them using qualitative and quantitative methods. He found that his process reference model was useful, usable, and effective in improving the software development process and outcomes. The findings of his thesis can be applied in the real world by: - Software engineers and managers who want to adopt or improve their agile software development processes. They can use his process reference model as a reference point and customize it according to their specific needs and contexts. - Software engineering researchers and educators who want to advance the knowledge and practice of agile software engineering. They can use his method as an example of how to conduct design research in software engineering and how to create and evaluate process reference models. - Software engineering standards developers and assessors who want to update or align their standards with the current state of the art in agile software engineering. They can use his process reference model as an input or a benchmark for their standards development and assessment activities.

View all articles by David Tuffley →