WhatsApp and Telegram Flaw Lets Hackers Steal or Alter Media Files – How to Fix it
WhatsApp and Telegram messaging apps both have an exploit that allows hackers to intercept and edit the contents of media files. The security bug, known as Media File Jacking, affects any type of media file received or sent by the messaging apps including photos, videos, notes, and audio files – a popular way of chatting on WhatsApp. WhatsApp is the most popular messaging app in the world. A major feature it that it offers is end-to-ed encrypted communications. The security flaw was discovered by cyber security researchers at Symantec.
The cyber security exploit takes advantage a tiny slice of time within which hackers can intercept, alter, or steal media files while they are in transmission between devices. The files are intercepted before they are ever received. WhatsApp default settings save files to external storage. If a hacker gets to your files before you do, then they can edit the contents of the files, create fake files, or steal the contents. Millions of people use WhatsApp for secure communications and sensitive data.
The hack occurs when files are sent to others or received by your device and stored externally, before your ever see them.
What is WhatsApp?
Both WhatsApp and Telegram are instant messaging apps. There are over 1.5 billion WhatsApp users in 180 countries , making it the most used messaging app globally. The app was acquired by Facebook in early 2014. Telegram is much smaller with about 200 million users. It’s viewed as an alternative to WhatsApp because of Facebook’s ownership of the former.
Messaging apps are used globally for much more than voice communications or sending texts. As the most widely used messaging app in the world, with over 80% penetration is some European countries, WhatsApp is used to for business transactions and banking as one of its most important features is that it offers secure messages with end-to-end encryption. Hackers can exploit the security flaw to intercept and alter invoices and banking transactions -diverting money to their own bank accounts – by scamming businesses. Fake requests for money can be sent to friends on your contact list or in broadcast groups.
In May 2019, WhatsApp had a vulnerability that allowed hackers to hijack smartphones. The exploit let hackers install spyware that could take control of the phone and its camera. The malware took advantage of a security bug that occurred as a result of a missed voice call. Hackers could control the phone as well as access personal data on compromised devices. WhatsApp patched that vulnerability with a security update.
MobonoGram 2019 Telegram Exploit
MobonoGram 2019, a self-proclaimed unofficial version of Telegram, was removed from the Google Play store. Symantec found the malicious app touting itself as a better version of Telegram but was loading malicious websites and secretly running services without user permission. MobonoGram 2019 was downloadable in Asia and the United States.
What is Media File Jacking?
Media Jacking is a form of hacking. It takes advantage of the time between when a file is received by an app user to when it is stored on the device. Hackers intercept, or hijack, media files to steal or alter the contents and scam victims.
WhatsApp Media Jacking – How to Protect Your Privacy
By default, WhatsApp saves files to external storage. You will need to change your settings to protect your device from hackers. Users can either save their files to their phone’s media gallery or make all media only visible to WhatsApp. Either settings change protects media files from hackers.
In Android, messaging apps can be set to save images, video, and audio files to either internal storage or external storage. Files saved to external storage are vulnerable to Media Jacking.
How to Change Your WhatsApp Settings – Android Devices
- Open WhatsApp on your phone
- Tap the three dots in the upper right corner of the app
- Tap Settings
- Select Chats
- Slide the Media Visibility switch to Off
Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers