Most users of apps like WhatsApp and Telegram expect their communications to be encrypted and therefore protected, but that doesn’t mean all communications shared through those apps are safe from intrusion. Symantec today published a report in which it details vulnerabilities present in both apps on Android that could potentially allow malicious actors to hijack shared media files and replace them before recipients realize what’s going on.
That’s pretty alarming, and according to Symantec’s report, this “Media File Jacking” is possible because of the way both WhatsApp and Telegram store media files that are shared through the app. Android apps ultimately have two options when it comes to storing files and data: they can store them internally or externally. If an Android app is storing files internally, then those files are only accessible by the app itself, not by other apps. Conversely, files stores externally can be accessed by other apps or users.
Symantec says that many Android apps store data externally through the Write-to-External permission, finding that “nearly 50% of a given device’s apps have this permission.” Both WhatsApp and Telegram store media files shared through the apps externally, and Symantec has discovered that in the period of time between when a shared file is written to the device and when it’s loaded for end-users in the apps themselves, malware has a window of opportunity to replace those files with malicious files of its own.
“Think of it like a race between the attacker and the app loading the files. If the attacker gets to the files first – this can happen almost in real time if the malware monitors the public directories for changes – recipients will see the manipulated files before ever seeing the originals,” Symantec VP & CTO of modern OS security Yair Amit and software engineer Alon Gat wrote today. “Moreover, the thumbnail that appears in the notification that users see will also show the manipulated image or file, so recipients will have no indication that files were changed.”
Beyond all of that, Symantec also says that the attack can be launched from either the sender or the recipient’s device, so even if you’re sure you don’t have any malicious apps installed on your device, that doesn’t guarantee protection from this exploit. Symantec goes on to detail the number of ways this can be used, from image manipulation to more serious attacks like payment manipulation and audio message spoofing (which are detailed in the videos embedded in this article).
The company then details the ways app developers can protect against malicious attacks that take advantage of the fact that media is often stored in public directories, whether that’s validating the integrity of files before they’re loaded by the app or simply using internal storage for media files. Users can prevent this as well; in WhatsApp go into Settings, then Chats, and turn off “Media Visibility.” In Telegram, the process is mostly the same, as you’ll go into Settings, then Chat Settings, and turn off “Save to Gallery.”
Symantec’s full report is definitely worrying, and it’s worth a read through if you’ve got a few minutes to spare today. It shows that even apps which boast about their security features can still have flaws, with Symantec reminding us that “no code is immune to security vulnerabilities.”