WhatsApp's New Lockdown Mode Blocks Spyware—Here's How to Enable It

What Is Strict Account Settings

WhatsApp has launched a new security feature called Strict Account Settings, designed to protect users who may be targets of sophisticated spyware attacks. The feature applies the most restrictive privacy and security settings available on the platform with a single toggle.

When enabled, Strict Account Settings:

• Blocks attachments and media from people not in your contacts
• Silences incoming calls from unknown numbers
• Enforces two step verification
• Alerts you when a contact's encryption keys change

Individual features can be toggled off separately without disabling the entire mode, giving users flexibility while maintaining strong defaults.

Who Should Use It

WhatsApp designed this feature primarily for journalists, activists, and public facing figures who may be targeted by government spyware or sophisticated attackers. These individuals face threats that go beyond typical cybercrime.

In 2019, approximately 1,400 WhatsApp users were compromised through NSO Group's Pegasus spyware. The attack exploited a vulnerability that required no user interaction. Simply receiving a malicious call or media file was enough to infect a device.

A federal court ruled in December 2025 that NSO Group can no longer use WhatsApp's infrastructure for attacks, though the company is contesting the ruling. The threat from commercial spyware vendors remains active.

However, any user concerned about security can enable the mode. You don't need to be a high profile target to want stronger protections.

How Zero Click Attacks Work

Traditional phishing requires victims to click malicious links or download infected files. Zero click attacks bypass this requirement entirely. The attacker sends a specially crafted message, image, or call that exploits vulnerabilities in how the receiving app processes data.

When your phone receives a media file, the messaging app must decode and render it. If the decoding process has a vulnerability, malicious code can execute before you even see the message. That's why blocking media from unknown senders is so effective. It removes the attack vector entirely.

The same applies to calls. Some spyware exploits have been delivered through the signaling data that initiates a voice or video call. By silencing calls from unknown numbers, Strict Account Settings prevents these attacks from reaching your device.

How to Enable Strict Account Settings

The feature is rolling out gradually and may not be available to all users immediately. Once available:

1. Open WhatsApp and go to Settings
2. Tap Privacy
3. Scroll down to Advanced
4. Enable Strict Account Settings

WhatsApp will prompt you to set up two step verification if you haven't already. This adds a PIN that's required when registering your phone number with WhatsApp again, preventing SIM swap attacks from taking over your account.

Enabling the mode doesn't affect end to end encryption, which remains the default for all WhatsApp messages regardless of settings.

Tradeoffs to Consider

Maximum security comes with usability costs. If you rely on receiving messages or files from people not in your contacts, Strict Account Settings will interfere with normal use.

Blocked media from unknown senders. Images, videos, documents, and voice messages from numbers not in your contacts won't be delivered. For journalists receiving tips from anonymous sources, this could be problematic unless the source is added to contacts first.

Silenced calls. Calls from unknown numbers won't ring. You'll still see missed call notifications, but time sensitive communications may be delayed.

Key change alerts. You'll be notified when a contact's encryption keys change, which can happen legitimately when they get a new phone. Frequent alerts may cause notification fatigue.

The ability to toggle individual features helps mitigate these tradeoffs. You might keep media blocking enabled while allowing calls, for example.

Backend Security Improvements

Alongside the user facing feature, WhatsApp announced that it's adopting the Rust programming language across parts of its infrastructure. Rust is designed to prevent memory safety vulnerabilities, which are the primary attack vector for spyware exploits.

Languages like C and C++ allow programmers to directly manage memory, which creates opportunities for bugs that attackers can exploit. Rust's compiler catches these issues before code can run, eliminating entire categories of vulnerabilities.

This change happens behind the scenes and doesn't require any user action. It represents a long term investment in platform security that will benefit all users, not just those who enable Strict Account Settings.

Similar to Apple's Lockdown Mode

WhatsApp's approach follows the model Apple established with Lockdown Mode in 2022. Apple's feature restricts various iOS functions to reduce the attack surface for spyware, including blocking most message attachment types, disabling link previews, and preventing unknown callers from initiating FaceTime connections.

Both features share a philosophy: for users facing serious threats, convenience should be sacrificed for security. The average person doesn't need these restrictions, but high risk individuals should have the option.

If you're using an iPhone, combining Apple's Lockdown Mode with WhatsApp's Strict Account Settings provides layered protection at both the operating system and application levels.

Context: The Musk Criticism

The launch comes amid renewed debate about encrypted messaging security. In late January 2026, Elon Musk publicly criticized WhatsApp's security on X, claiming the platform "is not secure." The timing of Meta's announcement suggests it may be partly a response to this criticism.

WhatsApp uses the Signal protocol for end to end encryption, which is widely considered the gold standard for message privacy. The encryption itself hasn't been broken. Spyware attacks instead target the device endpoints, compromising the phone before encryption or after decryption.

Strict Account Settings addresses this reality by reducing the ways attackers can deliver malicious payloads to your device in the first place.

Should You Enable It

If you're a journalist working on sensitive stories, an activist organizing in hostile environments, or anyone who might be targeted by state actors or commercial spyware, enable Strict Account Settings as soon as it's available to you.

If you're an average user with no specific threat model, the feature may introduce more friction than it's worth. But there's no harm in enabling it to see how it affects your usage. You can always adjust individual settings or disable the mode entirely if it interferes with your communication patterns.

The mere existence of this feature is a reminder that sophisticated attacks are real and ongoing. WhatsApp wouldn't build it if there weren't users who genuinely need it. Whether you're one of them is a question only you can answer.