Cybersecurity researchers have reported a critical flaw in the Android versions of WhatsApp and Telegram that allows attackers to manipulate media files sent via the apps. This vulnerability could allow attackers to alter photographs, modify invoices (in financial scams), swap files in a particular channel feed, or potentially even manipulate audio messages, cyber-software firm Symantec said, in a blog post.
“The media file-jacking threat is especially concerning in light of the common perception that the new generation of IM apps is immune to content manipulation and privacy risks,” Symantec blog post authors wrote. “However, as we’ve mentioned in the past, no code is immune to security vulnerabilities. While end-to-end encryption is an effective mechanism to ensure the integrity of communications, it isn’t enough if app-level vulnerabilities exist in the code.”
Researchers said the vulnerability exists because WhatsApp, in its default mode, and Telegram, when its Save to Gallery feature is enabled, both store media files that are received by a device in external storage. Storing them externally instead of internally means that other apps, including malicious ones that the user may have downloaded, now have the ability to access and modify the media files, provided that said apps are granted certain write-to-external storage permissions.
That leaves media files vulnerable to malicious manipulation and data integrity attacks in window of time between when received media are initially received and written to the disk and when they are loaded into the apps’ chat user interface, the blog said.
App users can insulate themselves from a media file-jacking attack by disabling the feature that saves media files to external storage, reported the Symantec team, which also recommended that app developers use internal storage whenever possible, encrypt sensitive files and validate the integrity of files by storing “in a metadata file a hash value for each received media file before writing it to the disk.”
“Think of it like a race between the attacker and the app loading the files. If the attacker gets to the files first – this can happen almost in real time if the malware monitors the public directories for changes – recipients will see the manipulated files before ever seeing the originals,” the Symantec blog post said. “Additionally, data can be manipulated on WhatsApp both when sending files – meaning the attack is launched on the sender’s device – and when receiving files – with the attack happening on the receiving device.”