Re: OS level security?
It doesn't seem that it is escaping the sandbox at all. Unfortunately, from within WhatsApp's sandbox, the malware can access contacts, call history, microphone, and camera* because of videocalls. That's enough to compromise the user of the device quite a bit, even if it doesn't let you read email, browser history, or other types of data on the phone.
*If the videocall or voice call function has never been used on an IOS device, this exploit shouldn't allow those to be taken because the permission has not been granted. This distinction does not apply to android, and if a voice or video call was ever used, it wouldn't apply to IOS either.