According to Symantec researchers, the security flaw dubbed as “Media File Jacking” affected WhatsApp for Android by default, and Telegram for Android if certain features were enabled. The vulnerability arises from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume. This critical time-lapse allows malicious actors to intrude and manipulate media files without the user’s knowledge. “If the security flaw is exploited, a malicious attacker could misuse and manipulate sensitive information such as personal photos and videos, corporate documents, invoices, and voice memos,” wrote Software Engineer Alon Gat and Yair Amit, Vice-President and Chief Technology Officer, Modern OS Security, Symantec. “Attackers could take advantage of the relations of trust between a sender and a receiver when using these IM apps for personal gain or to wreak havoc.” While WhatsApp saves files such as photos or videos automatically to external storage by default, the vulnerability is present on Telegram if “Save to Gallery” is enabled. Media File Jacking allows the malicious Android application with write-to-external storage permission to quickly modify files sent or received via WhatsApp and Telegram. Researchers showed how a malicious app can be used to scam victims in many different ways. They tested malware it had created to manipulate image and audio files sent through WhatsApp and Telegram. Giving example of image manipulation, the researchers said “a seemingly innocent, but actually malicious, app downloaded by a user could manipulate personal photos in near-real-time and without the victim knowing.”
In case of the above clip, one can see that a photo of two friends were sent. However, the image was replaced with image of actor Nicholas Cage by the malware on the recipient’s device automatically. “A WhatsApp user may send a family photo to one of their contacts, but what the recipient sees is actually a modified photo. While this attack may seem trivial and just a nuisance, it shows the feasibility of manipulating images on the fly,” said the blog post. The attackers can also use the same vulnerability to alter payments or voice notes, which can be a really dangerous scenario. “In one of the most damaging Media File Jacking attacks, a malicious actor can manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account,” Gat and Amit wrote. “An app that appears to be legitimate but is in fact malicious, watches for PDF invoice files received via WhatsApp, then programmatically swaps the displayed bank account information in the invoice with that of the bad actor. The customer receives the invoice, which they were expecting to begin with, but has no knowledge that it’s been altered. By the time the trick is exposed, the money may be long gone,” they added. “To make matters worse, the invoice hack could be broadly distributed in a non-targeted way, looking for any invoices to manipulate, affecting multiple victims who use IM apps like WhatsApp to conduct business.”
The company also said that the hack could be used to spread misinformation in Telegram “channels,” which are used to broadcast messages to huge numbers of users. Symantec researchers have already notified WhatsApp and Telegram about the Media File Jacking vulnerability and have also made multiple suggestions to change file validation and storage on their platforms to patch up the vulnerability. However, a WhatsApp spokesperson said making changes to its storage system would restrict the service’s ability to share media files, and also crop up new privacy issues. “WhatsApp has looked closely at this issue and it’s similar to previous questions about mobile device storage impacting the app ecosystem,” the spokesperson said in a statement. “WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development. The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared.” Telegram has not yet responded on the matter.