WhatsApp is rolling out a powerful new security feature designed to shield users from sophisticated cyber threats. Known informally as locked mode, the option is officially called Strict Account Settings. It limits several app functions to prevent potential attacks through malicious files or unwanted contacts. This update targets a small group of high-risk individuals who face targeted hacking attempts.
When activated, Strict Account Settings blocks all media files and attachments from people not saved in your contacts. It also automatically silences incoming calls from unknown numbers. Your profile picture, About section details, and online status become hidden from non-contacts. Additionally, strangers can no longer add you to group chats without permission.
Meta, the parent company of WhatsApp, plans to release this feature gradually to all users in the coming weeks. Most people will never need to turn it on, according to the company. Will Cathcart, head of WhatsApp at Meta, explained the reasoning behind the new tool. “We are continuously working to improve security in WhatsApp. For a small number of users, such as journalists and public figures who may need additional protection from sophisticated and targeted attacks, we are introducing a new option called Strict Account Settings.”
Even though WhatsApp messages are protected by end-to-end encryption, certain advanced malware can still pose risks. Dangerous code can hide inside innocent-looking images, videos, or documents. Once opened, these files can infect a device and steal personal information or install spyware. Strict Account Settings counters this by stopping suspicious files from reaching vulnerable users altogether.
One infamous example is Pegasus spyware, created by the Israeli firm NSO Group. Pegasus could infect phones without any action from the user, exploiting hidden vulnerabilities in the operating system. Infected devices essentially became full-time surveillance tools. Meta previously sued NSO Group over Pegasus attacks on WhatsApp users and won a judgment of 167.25 million dollars.
More recently, WhatsApp blocked another targeted campaign that used similar malware developed by the Israeli company Paragon Solutions. The victims were primarily journalists. These rare but serious incidents highlight why extra safeguards are necessary for certain people. State-sponsored actors, rather than common criminals, usually carry out such operations.
To enable the feature, open WhatsApp and go to Settings, then Privacy, and finally Advanced. The toggle for Strict Account Settings appears there. WhatsApp strongly advises regular users to leave it off, since it reduces normal app convenience. “You should enable this option only if you think you might be the target of sophisticated cyber attacks. For most people, this is not the case,” the company stated.
The timing of this release coincides with criticism of WhatsApp’s overall security practices. A lawsuit filed by users in Australia, Mexico, and South Africa claims that end-to-end encryption is not truly complete and that Meta staff can access private messages. Meta has firmly rejected these allegations as unfounded. The company called the claims “categorically false and absurd” and vowed to pursue sanctions against the plaintiffs’ lawyers.
WhatsApp remains one of the world’s most popular messaging platforms, with billions of active users relying on its end-to-end encryption for private conversations. End-to-end encryption ensures that only the sender and recipient can read messages, while even the service provider cannot access the content. Features like message disappearing and chat locks have been added over time to give users more control.
Spyware tools like Pegasus have drawn global attention for their ability to bypass standard phone security without user interaction. Governments and private entities have reportedly used such software to monitor activists, politicians, and reporters. International regulations now scrutinize companies that develop and sell these advanced surveillance technologies.
Do you think you’ll ever need to activate Strict Account Settings, or are the standard protections enough for everyday use? Share your thoughts in the comments.
