People use secure messaging services with end-to-end encryption like WhatsApp or Telegram because they believe they will keep their messages and devices more secure. While this is generally true, there are security issues with these apps that users need to be aware of.

Recently, an exploit called media file jacking has been revealed on Android devices running WhatsApp and Telegram. If you use either of these apps, there are steps you need to take to protect yourself and your device.

How Are Media Files a Security Risk?

Telegram - Media File Jacking

The security firm Symantec announced the vulnerability, which can be used to spread fake news or trick users into sending payments to the wrong address. It works through the system which allows messaging apps to receive media files, such as when a friend sends you a photo or video using an app.

In order to receive the file, your Android device needs to have what is called write to external storage permissions. This means that the app can take a file which is sent to you and save it onto your device's SD card.

Ideally, apps like Telegram or WhatsApp would only have permission to write to internal storage. That means the files can be viewed within the app but cannot be accessed by other apps. But that would mean that if someone sends you a photo, you can't automatically see it in your camera gallery.

WhatsApp saves files to external storage by default. Telegram saves files to the SD card if the "Save to gallery" option is enabled.

What Is Media File Jacking?

The attack works by intercepting the process by which a messaging app saves media files.

First, a user downloads an innocent-seeming app such as a free game, but there is actually malware hidden inside which runs in the background of their device.

Now, the user goes to their messaging app. If the app saves media files to external storage, the malicious app can target the files at the moment between the time at which they are saved to the hard drive and the time at which they are displayed in the app.

Media File Jacking diagram

Image Credit: Symantec

This is similar to a man-in-the-middle attack. The malicious app monitors your device for any changes to the external storage and steps in the moment it detects a change. Once a real file is saved to your device from your messaging app, the malicious app steps in and overwrites that file with its own file. Then the fake file is displayed in your messaging app.

This works for images and audio files. It even swaps out the thumbnail in the messaging app, so users have no idea the file they are opening is not the file their contact sent to them.

What Kind of Information Could Be Manipulated?

An example of how this could be misused is a vendor who uses WhatsApp or Telegram to send an invoice to a client. If the client's device has malware, it could swap out the real invoice for a fake one. The fake invoice has the scammer's bank details instead of the vendor's bank details.

The client would then pay the sum of the invoice to the scammer. They would never be aware that they were being tricked. As far as the client would be aware, they would see a regular invoice from their vendor and have no reason not to trust it.

Other personal and business documents could be at risk too. The exploit could manipulate personal photos or videos, voice memos, or business documents. This could be something small like swapping out photos sent through apps for inappropriate images. Or it could be something more sophisticated like a business executive who saves a voice memo to their phone and sends it to a secretary for transcription.

The voice memo could be changed to say anything the attackers want, causing chaos.

This situation is particularly worrying because people have come to trust that messages they send using services with end-to-end encryption are secure. Many people know that SMS messages or emails can be faked. So they are on the lookout for a scam even if a message appears to be from someone they know. But people trust in encrypted messaging. They aren't so aware of the potential security threat that could be posed by these apps.

How Can Media File Jacking Spread Fake News?

One unexpected problem that this attack could cause is spreading fake news. Many people use a Telegram feature called channels. Channels are forums through which an admin can send messages to a large group of subscribers. Some people use this as a news feed, viewing daily news stories from a trusted channel within their Telegram app.

The concern is that media file jacking could be used to interfere with news channels. A trusted news channel admin sends out a news-worthy image. Then that image is intercepted by a malicious app on the receiver's phone. The real image is swapped for a fake news image. The admin would have no idea this had happened and the recipient would think that the image was a real news story.

How to Protect Your Devices From Media File Jacking

A true fix for this vulnerability will require developers to rethink the way they approach saving files to storage in Android. However, there is a quick fix for users in the meantime. You simply need to disable saving files to external storage.

To do this on Telegram, open the menu by swiping from the left of the app and go to Settings. Then go to Chat Settings. Make sure the Save to Gallery toggle is set to off.

To disable external file storage on WhatsApp, go to Settings, then to Chats. Make sure the Media Visibility toggle is set to off.

Once you have changed this setting, your messaging app will be protected against media file jacking attacks.

Update WhatsApp and Telegram Settings to Avoid Media Jacking

Media file jacking is an example of the clever ways in which attackers can interfere with your device through a messaging app. It's a good idea to change your settings to make sure your device isn't vulnerable.

While you're learning about security and messaging apps, check out the WhatsApp security threats users need to know about.