Washington: Just hours after Telegram founder Pavel Durov publicly questioned the app’s security, Google confirmed the flaw, which affects WhatsApp users on Android, allowing attackers to exploit automatic media downloads without any user interaction.
According to researchers from Google Project Zero, the vulnerability creates a new “attack surface” within WhatsApp on Android devices. The issue is linked to zero-click media downloads, meaning a victim does not need to tap or open a file for the exploit to begin.
The attack method involves adding both the victim and one of their contacts to a newly created WhatsApp group. The attacker then promotes the victim’s contact to group administrator and sends a malicious media file to the group. Due to WhatsApp’s automatic download settings, the file may download to the victim’s device without their knowledge, potentially exposing the phone to further compromise.
Read More
- Elon Musk forecasts AI will be smarter than all of humanity collectively in five years
- Elon Musk’s Starlink to provide free internet services in Venezuela through February 3
- AI to broaden investment opportunities in 2026, smaller firms to benefit: Report
- Microsoft’s USD 17.5 billion push signals India’s leap into new AI era
- X suffers major worldwide outage, thousands unable to access platform
Google confirmed that Meta, WhatsApp’s parent company, is working on a fix. A server-side update was reportedly pushed on November 11, partially addressing the issue, while a comprehensive solution remains under development. In the meantime, Google has advised users to disable automatic media downloads or enable WhatsApp’s Advanced Privacy Mode to prevent files from being downloaded automatically.
Project Zero noted that while WhatsApp operates within a sandbox environment designed to limit damage, the risk increases once a malicious file is stored in the device’s general media folder. The team believes the vulnerability is more likely to be used in targeted attacks, as attackers must know or successfully guess a victim’s contact. However, researchers warned that repeated attempts can be made quickly, making such attacks feasible in focused scenarios.
The disclosure follows comments made by Pavel Durov, who claimed on X that WhatsApp has “multiple attack vectors” and questioned its security in 2026. While Durov’s remarks have not been substantiated, they have added to ongoing debate around messaging app security. Durov is the founder of Telegram, a rival platform to WhatsApp.
