Hackers Can Manipulate Files Sent via WhatsApp and Telegram
Security experts at Symantec have warned that hackers can manipulate media files sent through WhatsApp and Telegram on Android devices. The issue arises because these apps use external storage, which poses a security risk for their users.
Understanding the Storage Problem
To understand the problem, it’s important to know that, in addition to the shared external storage (usually an SD card, USB drive, or available device space), there is also internal storage (also known as system memory). Internal storage is built into the device and holds the operating system, system apps, drivers, and some user app data.
Each installed app can allocate its own space in internal storage, which is isolated so that other apps cannot access it. However, since device storage is limited, many developers avoid overusing internal storage and allow their apps to be installed on external storage. Unfortunately, external storage is much less secure.
How the Attack Works
In their report, Symantec experts describe a technique called Media File Jacking. This method allows a malicious Android app to manipulate files sent or received via WhatsApp and Telegram. The attack occurs in the brief moment between when files are written to storage and when they are loaded in the app interface. This method works against WhatsApp with default settings and against Telegram if the user has enabled the “Save to gallery” option.
Researchers note that such attacks can be used in various ways, such as extortion, altering bank account information in files (causing victims to send money to hackers), or spreading fake news in Telegram channels.
Responses from WhatsApp and Telegram
Symantec has already informed the developers of WhatsApp and Telegram about these risks. WhatsApp representatives responded that they believe this issue should be addressed by Google engineers. In the upcoming Android Q release, a feature called Scoped Storage will change how apps interact with files in external storage. Telegram developers have not commented on the report.
Symantecβs Recommendations
Symantec believes that app developers should take steps to prevent such attacks by verifying file integrity before loading them into the app, saving files in internal storage whenever possible, and applying encryption to media files, just as is done with text messages.
Symantec analysts created a malicious proof-of-concept app to demonstrate Media File Jacking attacks in practice, providing examples of file manipulation.
Similar Attacks and Additional Risks
It’s worth noting that the Media File Jacking attack is very similar to the Man-in-the-Disk attack described by Check Point analysts last year. At that time, researchers warned that using external storage carries many risks, as malware on a device can attack neighboring apps, disable them, or even replace them with malicious versions.