Security researchers from Symantec discovered a security flaw named “Media File Jacking” affecting WhatsApp and Telegram for Android.
Researched demonstrated a new attacking technique which allows attackers to manipulate media files received via WhatsApp and Telegram in Android. The flaw could potentially affect other Android apps also.
The attack leverages the fact any app installed can access and rewrite file saved in the external storage of the device, including the files saved by other apps also.
“ It stems from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume. This critical time lapse presents an opportunity for malicious actors to intervene and manipulate media files without the user’s knowledge.” said in the blog post published by Researchers.
A malicious app installed on the device will allow attackers to intercept and manipulate sensitive information such as personal photos and videos, corporate documents, invoices, and voice memos.
In Android, applications stores files and data in two storage locations: internal and external storage places.
Data stored in the internal storage is accessible only by the app itself but the data stored in the external storage is accessible by other apps also.
Whatsapp by default stored media files received in external storage. In the case of the telegram, if the user enables save to gallery option, the data will be stored in the external storage.
Researchers shared 4 attacking scenarios where attackers could exploit this flaw:
In this attacking scenario, the malicious app downloaded by the user can manipulate personal photos in real-time without the victim knowing. The app can run in the background and perform Media File Jacking while victim uses Whatsapp or Telegram.
2. Payment Manipulation
This is one of the damaging Media File Jacking attacks. A malicious actor can manipulate the invoice sent by the vendor to the customer by changing bank account information in the invoice and tricking them to make the payment an account controlled by the attacker.
3. Audio Message Spoofing
In this scenario, the attacker uses voice reconstruction via deep learning technology to alter the original voice message sent by the victim.
4. Spread Fake News
In Telegram, admin uses the concept “channel” to broadcast messages to unlimited subscribers who consume the published content. An attacker can carry out Media File Jacking attacks to alter the media files that appear in the channel feed in real-time to spread fake news.
Researchers have already notified Telegram and Whatsapp about the flaw. For more details, you can visit the report published by Symantec researchers here.
How to Prevent Media File Jacking Attacks
Users can prevent the risk Media File Jacking attacks by turning off the feature which saves media files to external storage.
1.WhatsApp: Settings -> Chats -> Turn off ‘Media Visibility’
2.Telegram: Settings -> Chat Settings -> Turn off ‘Save to Gallery’
You may be interested in reading: New Ransomware named eCh0raix Targets QNAP NAS Devices