Social media apps nowadays claim to be end-to-end encrypted but they might not what you see. Today, researchers from Symantec found an exploit that could allow WhatsApp and Telegram media files. They explain how hackers could use a malicious app to subtly alter media files sent through the services. From personal photos to corporate documents to be exposed and manipulated by malicious actors.
The sender might just send the photos but the malware could exploit this vulnerability on WhatsApp and Telegram to replace the photo and give the recipient the wrong directions. On Android, the apps can choose to save media, like images and audio files. It is done either through internal storage that’s only accessible through the app, or external storage which is more widely available to other apps. Whatsapp by default stores media through external storage, and Telegram does so when the app’s “Save to Gallery” feature is enabled.
According to the researchers, the design means malware with external storage access could be used to access WhatsApp and Telegram media files, even before the user could see them. For instance, If a user downloads a malicious app and then receives a photo on WhatsApp, a hacker could manipulate the image without the receiver ever noticing. A hacker could theoretically alter an outgoing multimedia message as well.
The researchers call the attack Media File Jacking. It is a very common issue and a trade-off between privacy and accessibility for messaging apps on Android. If we use the external storage set which is widely used, apps are more compatible with others, allowing pictures and other data to move more freely. Telegram has not commented yet on the prevailing issue, whereas the WhatsApp spokesperson said changing its storage system would limit the service’s ability to share media files, and even introduce new privacy issues.
“WhatsApp has looked closely at this issue and it’s similar to previous questions about mobile device storage impacting the app ecosystem,” the spokesperson said in a statement. “WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development.”
WhatsApp and Telegram are used by over 1.5 Billion people, before going public with the discovery, Symantec notified Telegram and Facebook/WhatsApp about the Media File Jacking vulnerability. Symantec explains that its malware detection engines, which power Symantec Endpoint Protection Mobile (SEP Mobile) and Norton Mobile Security, detect apps that exploit the described vulnerability.
If you are using these apps, you can then protect yourself from this risk by changing your settings for media storage. On WhatsApp, you can do this by going to settings, and toggling off “Media Visibility.” On Telegram, you can protect yourself by toggling off “Save to Gallery.” Other apps store images in the external storage so users can save pictures even when the app is uninstalled and most Android devices don’t provide enough internal storage. On the other hand, Symantec’s researchers discovered a separate issue with Telegram, with a fake version of the app on the Google Play Store.