WhatsApp attack warning
AFP via Getty Images
An interesting start to the week for WhatsApp. A few hours after Telegram’s Pavel Durov warned that the Meta messenger has “multiple attack vectors”, comes a report that Google has discovered a serious vulnerability in WhatsApp that “opens (an) attack surface”.
Any warning from Google’s Project Zero threat hunters is taken seriously. This is the team behind many of the spyware discoveries plaguing Android and iPhone. This threat affects WhatsApp on Android and is related to zero-click media downloads.
The attack works when a victim and one of the victim’s contacts are added to a new WhatsApp group. The attacker then makes the victim’s contact a group administrator and then sends a malicious multimedia attachment to that group. This will likely be automatically downloaded to the victim’s phone, which then opens up the attack surface.
Google says Meta is currently working on a fix. “They pushed a server change on November 11th that partially resolved the issue, but are working on a full fix.” Meanwhile, Google tells users to “turn off Auto Download or enable WhatsApp’s Advanced Privacy feature, (t0) prevent the file from downloading automatically.”
Vulnerability to attack
Google Project Zero
I’ve warned before that automatically downloading media from any messaging platform is dangerous. The messaging app is a sandbox and should contain the threat. But once a file is added to a general media storage, everything changes.
This would likely be a targeted attack, Google says, because an attacker needs to know or guess a contact “making it lower severity than a full contact gateway bypass.” But the Project Zero team warns “it’s easy to attempt this multiple times in succession and probably easy to guess contacts in targeted attacks.”
Neowin spotted the Project Zero report and explains that it was reported privately to Meta on September 1, 2025, “giving the company the standard 90 days to fix the problem before it goes public. After Meta failed to issue a patch by November 30, 2025, the vulnerability was made public.”
Confirmation that Meta is working on a fix came on December 4th, “The ticket has not been updated with new communications since then.” Neowin it says, “which would indicate that this bug is still open.” I have contacted Meta for any response.
It’s worth making these changes anyway, regardless of any fixes. You should not let media files automatically download to your phone. Do this only if you are sure of the sender and the origin of the file. Otherwise leave it where it is.
Meanwhile, Durov issued this unrelated warning to X: “You’d have to be dead to believe that WhatsApp is secure in 2026. When we analyzed how WhatsApp implemented its ‘encryption’, we found multiple attack vectors.” There is nothing to substantiate this claim, so for now it can be filed along with other Telegram strikes on WhatsApp.
