Security researchers discovered a Telegram and WhatsApp vulnerability that could enable digital attackers to tamper with media files.

Symantec traced the bug, which it dubbed media file jacking, to both WhatsApp’s default configuration and an optional Telegram setting on Android devices whereby the apps store media files in external storage without proper security measures. This could enable attackers to manipulate the media files and change their content without users’ knowledge — all they would need is another Android app with the write-to-external storage permission.

Specifically, the researchers found that threat actors could change the content of image files received by either service. They could also use the concept of channels to essentially broadcast fake news or spoof audio messages. Perhaps most concerning, attackers could abuse the Telegram and WhatsApp vulnerability to manipulate invoices sent to users and trick them into submitting payments to an account under their control.

A Year of Telegram and WhatsApp Vulnerabilities

Other security firms have spotted security weaknesses affecting WhatsApp and Telegram. In August 2018, Check Point found a flaw that could enable threat actors to intercept and manipulate messages received in private and group conversations. This discovery came several months before Reuters reported on a vulnerability that allowed entities such as the NSO Group to inject spyware onto mobile devices by abusing WhatsApp’s voice-calling feature.

As for Telegram, researchers at Kaspersky Lab came across a flaw in the service’s Windows client in February 2018 that enabled threat actors to launch a right-to-left override attack whenever a user sent a message. Less than a year later, Forcepoint Security Labs discovered that digital attackers were using the Telegram Bot application programming interface (API) as command-and-control (C&C) infrastructure for their malware attacks.

How to Defend Against Media File Jacking Attacks

Security professionals can help defend their organizations against media file jacking flaws by using a unified endpoint management (UEM) tool to monitor their apps for suspicious behavior and address any malicious activity.

Additionally, if the organization develops its own apps, security professionals should strive to create a healthy application security culture by testing and hardening application code, completed apps and back-end services.

More from

2022 Industry Threat Recap: Finance and Insurance

The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

X-Force Prevents Zero Day from Going Anywhere

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The X-Force Vulnerability and Exploit Database shows that the number of zero days being released each year is on the rise, but X-Force has observed that only a few of these zero days are rapidly adopted by cyber criminals each year. While every zero day is important and organizations should still devote efforts to patching zero days once a patch is released, there are characteristics of certain…

And Stay Out! Blocking Backdoor Break-Ins

Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%. The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses…

Hack-for-Hire Groups May Be the New Face of Cybercrime

Google’s Threat Analysis Group (TAG) recently released a report about growing hack-for-hire activity. In contrast to Malware-as-a-Service (MaaS), hack-for-hire firms conduct sophisticated, hands-on attacks. They target a wide range of users and exploit known security flaws when executing their campaigns. “We have seen hack-for-hire groups target human rights and political activists, journalists and other high-risk users around the world, putting their privacy, safety and security at risk,” Google TAG says. “They also conduct corporate espionage, handily obscuring their clients’ role.”…