Media File Jacking security flaw affects WhatsApp and Telegram media files on Android devices

According to new research by Symantec, a new security flaw called ‘Media File Jacking’ could expose WhatsApp and Telegram media files on Android devices and it could be manipulated by malicious actors too. The media files and sensitive information could be misused if the security flaw is exploited.

The ‘Media File Jacking’ security flaw affects WhatsApp for Android by default and the report reveals that it also affects Telegram for Android if certain features are enabled. The flaw is originated from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface for users to consume. This time-lapse gives the opportunity for malicious actors to intervene and manipulate media files without the user’s knowledge.

WhatsApp supports an end to end encryption and Telegram provides end-to-end encryption for voice calls and optional end-to-end “secret” chats. But in spite of this, attackers may be able to successfully manipulate media files by taking advantage of logical flaws in the apps, that occur before and/or after the content is encrypted in transit, reveals the research.

The findings also reveal that files saved to external storage are world-readable/writable and could be modified by other apps while this is not the case with internal storage as it is accessible only by the app itself.

How to be safe from this security flaw?

WhatsApp and Telegram users can mitigate the risk by disabling the feature that saves media files to external storage. In WhatsApp, saving media files to external storage can be disabled by navigating to Settings -> Chats -> Media Visibility and in Telegram, it can be disabled by turning off ‘Save to Gallery’ through Settings -> Chat Settings -> Save to Gallery.


Author: Manoj Nagendra

Manoj Nagendra is passionate about smartphones and the latest technology. He likes to write and explore the latest tech and you can often find him with an Android phone. You can follow him on Twitter @manojshesh24 and also mail at