Cybersecurity company Symantec found an exploit that could allow WhatsApp and Telegram media files — from personal photos to corporate documents — to be exposed and manipulated by malicious actors.

The security flaw, dubbed Media File Jacking, stems from the time lapse between when media files received through the apps are written to a disk and when they are loaded in an app’s chat user interface. Given the perception that security mechanisms like end-to-end encryption render this new generation of IM apps immune to privacy risks, this threat is especially significant.

WhatsApp and Telegram are collectively used by more than 1.5 billion people. Before going public with the discovery, Symantec notified Telegram and Facebook/WhatsApp about the Media File Jacking vulnerability. Symantec said its malware detection engines, which power Symantec Endpoint Protection Mobile (SEP Mobile) and Norton Mobile Security, detect apps that exploit the described vulnerability.

In a statement, WhatsApp said, “WhatsApp has looked closely at this issue and it’s similar to previous questions about mobile device storage impacting the app ecosystem. WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development. The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared.”

IM app users can mitigate the risk posed by Media File Jacking by disabling the feature that saves media files to external storage. Symantec talked about how to do that in its paper by researchers Yair Amit and Alon Gat, who are part of by Symantec’s Modern OS Security team.

If the security flaw is exploited, a malicious attacker could misuse and manipulate sensitive information, such as personal photos and videos, corporate documents, invoices, and voice memos. Attackers could take advantage of the relations of trust between a sender and a receiver when using these IM apps for personal gain or to wreak havoc.

Potential usage scenarios include:

  • Image manipulation: A seemingly innocent, but actually malicious, app downloaded by a user can manipulate personal photos in near-real time and without the victim knowing.
  • Payment manipulation: A malicious actor could manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account.
  • Audio message spoofing: Using voice reconstruction via deep learning technology, an attacker could alter an audio message for their own personal gain or to wreak havoc.
  • Fake news: In Telegram, admins use the concept of “channels” to broadcast messages to an unlimited number of subscribers who consume the published content. An attacker could change the media files that appear in a trusted channel feed in real time to communicate falsities.

Malicious fake Telegram app

Additionally, Symantec recently found a malicious app named MobonoGram 2019 (detected as Android.Fakeyouwon) advertising itself as an unofficial version of the Telegram messaging app.

Above: Symantec uncovered a flaw in WhatsApp and Telegram.

Image Credit: Symantec

While the app does provide basic messaging functionality, it was also secretly running services on the device without the user’s consent, as well as loading and browsing an endless stream of malicious websites in the background. The app was available on Google Play for a time and was downloaded more than 100,000 times before it was removed from the store.

You can learn more about the technical details and how users can protect themselves in the blog post.

Symantec said the Media File Jacking threat is especially concerning in light of the common perception that the new generation of IM apps is immune to content manipulation and privacy risks, thanks to the utilization of security mechanisms such as end-to-end encryption.

Users generally trust IM apps such as WhatsApp and Telegram to protect the integrity of both the identity of the sender and the message content itself. This is in contrast to SMS and other older apps and protocols, which are known to be spoofed pretty easily. However, as we’ve mentioned in the past, no code is immune to security vulnerabilities.