Hackers can take advantage of a logical flaw in WhatsApp for Android and modify or replace media files available in external storage, such as memory cards, before the intended recipient can see them.
The same risk exists with the Telegram messaging app if configured to save files to a public directory that any app can access and write to, such as the photo gallery folder.
Extra storage is for every app
Both messaging apps provide end-to-end encryption, but this protection does not apply beyond their Android’s internal storage slot, where data cannot be reached by other apps.
External storage has a different story. Because they are a public area, there are laxer restrictions and any app given permission can access the data on them.
Writing to external storage is a privilege often requested by Android apps and users typically grant the permission without batting an eyelash at the risk.
Researchers at Symantec analyzing the way WhatsApp and Telegram handle media files discovered that a threat actor could tamper with the data after it’s written to disk and before the recipient loads them. They named this attack Media File Jacking.
Initial compromise of the device is needed to pull off this type of attack, which has been named Media File Jacking. The storage area should be monitored for new files. An app that can read content on the card and to write to it should be enough to pull this off.
“Malware can instantaneously analyze and manipulate the files (or just replace them with the attacker’s chosen files) for malicious gain” – Symantec
Once the file is replaced or modified, the recipient would be none the wiser as there is nothing to signal or hint at the unauthorized intervention. Even the thumbnail showing in the notification message would be for the manipulated image or file.
Read More