How the Query Was Made

The evaluated participant directory of WhatsApp must fundamentally be open to WhatsApp users. They need to know who they can reach via the app. This is usually done by matching the smartphone address book. However, this does not require everyone to be able to access the user directory without limitation – but that was exactly the case.

As Gabriel Gegenhuber (University of Vienna), Philipp Frenzel (SBA Research), Maximilian Günther, Johanna Ullrich, and Aljosha Judmayer (all Uni Wien) discovered, Meta allowed the matching of 7,000 phone numbers per second per instance using the XMP protocol, including the download of the respective device list. Profile data and key downloads were slightly slower at 3,000 and 2,000 per second, respectively. However, the profile photos were on an HTTP server that delivered 5,500 high-resolution images per second within the project.

The researchers made sure not to obscure their requests. They used the same static IP address for their queries, which was identifiable as belonging to the University of Vienna through the abuse contact data and whose administrator was reachable. Contact attempts to WhatsApp clients or interception of messages were not part of the procedure. The XMP queries generally ran with a maximum of five parallel threads and 50,000 data records per query, so as not to overload the infrastructure.

The researchers used the software whatsmeow for this purpose. This is an independent open-source implementation of WhatsApp. The parameters of the server interfaces (API) have been reverse-engineered for whatsmeow.

For photo downloads, however, the Viennese used 1,000 parallel threads, and for a short-term attempt, even 10,000. There were no reactions from the Meta servers or abuse complaints. The data company apparently refrained from monitoring. The collected photos and phone numbers were deleted by the scientists after the evaluation was completed.

Austria has 500 Billion Possible Mobile Numbers

One challenge was defining the number range to be scraped. The number of possible mobile phone numbers is enormous. Not only are the number ranges different in each country, but the length of the phone number can also vary within a country. Example Austria: The “area code” is followed by the subscriber identification, which can be seven to 13 digits long. It is not uncommon for a line to have more than one phone number.

This results in more than 511 billion possible mobile numbers for Austria alone. In Indonesia, there are still 89 billion. Google maintains with libphonenumber a public library for formatting and validating international phone numbers. At the time of the queries, it contained a good 646 billion phone numbers—the majority of them from Austria. Scraping this would have taken about a year.

As trained Austrians, however, the researchers knew to exclude certain number blocks because they are not used or hardly used in practice. Conversely, according to libphonenumber, there were surprisingly few number possibilities in Mexico and Brazil. It turned out that the number system had recently been reformed; numbers according to the old scheme were removed from libphonenumber, although they are still in circulation and valid.

After corresponding adaptations, the group finally defined a space of a good 63 billion phone numbers. In it, they found 3,546,479,731 WhatsApp accounts from 245 countries and territories. The actual number could be slightly higher, as it is possible that not all possible number ranges were captured in all area codes. In addition, satellite phone area codes (e.g., +870, +881) and special area codes like +800 were excluded. If network operators used their number blocks more extensively and assigned phone numbers randomly, scraping the number ranges would be more difficult for researchers as well as for spammers.

Statistical Delicacies

The most WhatsApp users, not surprisingly, are in India, with around 749 million. This means there are about 51 WhatsApp accounts per 100 Indians. There are over 200 million accounts in Indonesia and Brazil, and more than 100 million each in the USA, Russia, and Mexico. Per 100 inhabitants, this means 99 in Mexico and Brazil, 91 in Russia, but only 40 accounts in the USA.

In 32 regions, there are more than 100 accounts per 100 inhabitants, especially Monaco with 480. Countries in the Middle East and geographically small areas like Hong Kong, Sint Maarten, Singapore, Luxembourg, or the Turks and Caicos Islands predominate, but Chile, Malaysia, and the Netherlands also have more than 100 percent penetration. In the DACH region, Germany has 74.6 million WhatsApp accounts (88 per 100 inhabitants), Austria 7.9 million (86), Switzerland 8.4 million (95), and Liechtenstein 16,760 (43).

WhatsApp’s market penetration is below five percent in Eritrea, Tokelau, Japan, South Korea, Ethiopia, Madagascar, Niue, Tuvalu, and Vietnam, as well as in three countries that completely ban the messenger (North Korea, China, Myanmar). In Japan, South Korea, and Vietnam, local messaging apps dominate the market. Regionally strong competitors explain WhatsApp’s relative weakness in several countries. For example, Meta’s offering only reaches 37 percent in Greece because Viber is the dominant player there.

Many Business Accounts in Africa

In no country did the researchers observe declining user numbers in the period from December 2024 to March 2025. They collected churn rates for Belgium, India, Iran, and the USA. The differences are significant. In Belgium, less than one percent of WhatsApp accounts disappeared monthly, while in the USA it was 3.6 to 4.3 percent, with Iran and India in between.

There are significant differences in the use of the profile picture function. It is extremely popular in Africa, where usually two-thirds to four-fifths set a picture. In the DACH region, Austria leads with 60 percent, followed by Switzerland with 58, Liechtenstein with 55, and Germany with 51 percent.

In some countries, there are surprisingly many business accounts: in Sierra Leone and Burundi, more than a third of all WhatsApp accounts fall into this category. In general, their share is high in Africa, but also in Haiti, the United Arab Emirates, Pakistan, Afghanistan, and Qatar; it is over 20 percent.

This is likely due to social customs, as Meta does not control whether an account is actually used for business. You just have to install the business version of the app. In Germany and Austria, two percent of users have done this; in Switzerland and Liechtenstein, three percent. Globally, it’s nine percent.

Android vs. iOS

Since the WhatsApp application is implemented differently in Android and iOS, the Austrians were also able to gain insights into the market shares of these operating systems among WhatsApp users. Tendentially, the data available to heise online shows that the Android market share is significantly higher in poorer countries. Only in about half of the recorded countries does Apple’s iOS reach over 20 percent. Worldwide, 81 percent of WhatsApp accounts are on Android.

Taking those regions where WhatsApp has at least a five percent market share and at least one million users, there are ten where iOS accounts for 51 percent or more: the USA, Denmark, and Australia lead with two-thirds iPhones each, followed by Canada, Norway, Sweden, Taiwan, Great Britain, Switzerland, and New Zealand.

Android and iOS are balanced in Luxembourg, Mongolia, and Hong Kong. In the two largest markets, India and Indonesia, Android dominates with well over 90 percent. This also applies to India’s neighbors Bangladesh and Pakistan. In Germany and Austria, 58 and 59 percent are Android, respectively, while in Switzerland and Liechtenstein it is only 43 and 41 percent.

Recommendations

The research group published their findings on Tuesday under the title “Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy.” The paper has been accepted for the NDSS 2026 (Network and Distributed System Security) conference. It contains only one piece of advice for privacy-conscious WhatsApp users: they should reconsider their profile photo and info field. Due to the EU’s Digital Markets Act, it may become possible in the European Economic Area to network alternative messenger systems with WhatsApp without directly using WhatsApp servers.

For Meta, they have more recommendations: limiting server queries (rate limiting), encrypting profile photos and info fields so that only confirmed contacts have access, and a uniform code base for different operating systems to provide attackers with less side-channel information. Once again, Signal is leading the way: the current beta already encrypts profile information.

Meta Platforms Reacts

An update to the Android app from October is intended to prevent keys from another account previously used on the device from being reused when a new WhatsApp account is created. In addition, WhatsApp servers no longer reveal timestamps for profile pictures. There is also now a restriction on the number of queries for profile pictures and info fields, except for business profile queries.

Meta has recently been trying to counter the mass matching of phone numbers by using machine learning and a lifetime limit on the maximum number of queries made by a WhatsApp account. This is intended to deter scrapers but not restrict normal users.

There are no CVE numbers for the problems discovered, as Meta generally does not apply for them for server problems. The data company considers the faulty reuse of keys when creating a new account on a device previously used for WhatsApp to be not serious enough.