LIFARS, which conducted forensics here, believes that the trick didn't involve getting root access to the phone, and that there were hints of both keyboard recording and spyware vulnerabilities. This would target an everyday Android phone, then, not just one that's already compromised.
McAfee says he's sharing the flaw after talking to Google. We've asked Google itself if it can shed more light on the claims and outline its plans for a fix (assuming one is needed). If his team really did find a way around encryption, though, this could represent a serious problem. Simply speaking, you couldn't guarantee that a chat was private unless you knew that everyone was running a safe operating system.
Update: You know what they say about stories sounding too good (or in this case, too interesting) to be true? Yeah, that may well be true. Gizmodo's own sources maintain that McAfee was trying to perpetrate a hoax. Reportedly, he wanted to send reporters phones "pre-cooked" with keylogger malware to convince them that he'd cracked WhatsApp. He supposedly changed his story to focus on an Android vulnerability when reporters weren't sure about their ability to verify the details.
McAfee isn't having Gizmodo's take on things (his response is colorful, to put it mildly) and swears that how the malware reached the phones "is the story." Still, we'd take his protestations with a big grain of salt unless Google can attest to having spoken to him.