Bas Bosschert is a technical consultant with over a decade of experience working with Linux and Unix. He explained that since WhatsApp backs up chat history on your smartphone's SD card, it could be easy for an app to trick a user into allowing access to their entire message database. All that needs to be done is for an app to request (and be granted) access to your smartphone's SD card. This is not an uncommon request, and although Android apps list the permissions required before you install, much as with T&C agreements before Windows or Mac installs, not many read them.
Although WhatsApp's latest releases are encrypting its chat database, Bosschert also said that he was able to easily decrypt it with a simple Python script.
Admittedly, these "holes" are not holes, per se, in WhatsApp, but rather the way Android works. It's part of the openness of Android that is both its strength and weakness. As a comparison, iOS doesn’t allow access to data from outside of an app’s own sandbox. That and the App Store review process means malicious apps can't delve data from another app. On the other hand, Android's openness does allow for additional flexibility in certain ways.
In addition, we'd expect that post-acquisition, Facebook will ratchet up the security around WhatsApp.
Of course, issues like this can be avoided, even in Android, by making sure you only install apps from highly regarded developers, and not questionable ones you may never have heard of.