Apps like WhatsApp and Telegram may not always be able to keep files safe after they’ve been sent, even though they’re known for strongly encrypting messages.
According to researchers from Symantec, hackers could easily use a malicious app to subtly deteriorate media files sent through the apps.
Images and audio files can choose to save on Android, through either internal storage that’s only accessible through the app, or external storage-more widely available. In WhatsApp’s case, media is stored by default, through external storage. The same goes for Telegram when the app’s “Save to Gallery” feature is enabled.
It’s quite concerning as the design means malware with external storage access could access WhatsApp and Telegram media files, sometimes even before we, the users, get to see them.
The scenario goes like this: if a user downloads a malicious app and then receives a photo on WhatsApp, a hacker could be in control of the media file without them being aware, according to the researchers. They call the attack “Media File Jacking.”
Of course, nowadays, privacy and accessibility for messaging apps are quite relative. The external storage setting is widely used and therefore, apps are more compatible with others, which allows data to travel more and more freely.
Telegram did not immediately respond to a request for comment and a WhatsApp spokesperson stated that changing its storage system would significantly limit the app’s capacity to share media files, and even introduce new privacy issues.
“WhatsApp has looked closely at this issue and it’s similar to previous questions about mobile device storage impacting the app ecosystem,” the spokesperson said in a statement. “WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development.”
Researchers also highlighted the fact that users generally trust encrypted apps “to protect the integrity of both the identity of the sender and the message content itself.” They concluded that “as we’ve mentioned in the past, no code is immune to security vulnerabilities.”