According to security firm, Symantec, a flaw has been found in Android versions of WhatsApp and Telegraph apps which allows hackers to manipulate files transferred between users. The flaw is linked to the fact that WhatsApp and Telegraph apps automatically save files to the phone’s gallery or external storage. It only becomes an issue if the user’s phone is already infected with Malware that has access to, and can alter the phones external storage.
This most recent security flaw comes just months after WhatsApp came under fire for a flaw that allowed hackers to install spyware on the end-users phone by simply calling them via the app.
‘Media File Jacking’
The security flaw allows hackers to intercept and alter files sent between WhatsApp and Telegraph app users. Symantec has coined the term ‘Media File Jacking’ to explain the flaw.
An example of ‘Media File Jacking’ is that a hacker could intercept a photo file sent between two WhatsApp users. During the interception, they could replace the faces of the people in the photo with someone else’s. Although this is a trivial example with few consequences, the flaw could also be used to alter payments or voice notes.
Malicious hackers could use the flaw to manipulate an invoice sent by a vendor to a customer, informing the customer to make a payment to an illegitimate account. Symantec has also suggested that the hack could be used to circulate misinformation and fake news via the Telegraph ‘channels’, which are used to broadcast messages to large numbers of users.
After discovering this security flaw, Symantec made a range of recommendations to the WhatsApp and Telegraph app developers about how to change file validation and storage, in order to patch the issue.
WhatsApp resisted the suggestions made by Symantec because they already follow best practices provided by the operating system for media storage. They also argued that the changes that Symantec suggested could create privacy complications and limit photo and file sharing.
Telegraph did not respond to Symantec’s suggestions.
The next version of Google’s mobile operating system, Android Q, should see changes put in place to protect users from the flaw. In the meantime, Hyve suggests that users disable their apps from automatically saving media files to their phone’s external storage in order to avoid the issue altogether.
Have you been affected by ‘Media File Jacking’? Let us know in the comments below, or tweet us @Hyve!