WhatsApp, Telegram had security flaws that let hackers change what you see

In a demo clip, Symantec’s security researchers altered all the faces to show Nicolas Cage instead.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

The vulnerability allowed malware to manipulate photos sent over WhatsApp and Telegram.


With this vulnerability, what you see on WhatsApp and Telegram might not be what was sent. Despite the secure messaging apps' end-to-end encryption protecting people from government surveillance, researchers from Symantec disclosed flaws that could allow potential hackers to alter images and audio files. 

While the sender might have sent, say, a photo of a map, malware could exploit this vulnerability on WhatsApp and Telegram to replace the photo and give the recipient the wrong directions. In another example, the malware could change numbers in a photo of an invoice, to scam victims into giving money to the wrong person.

Secure messaging apps are an important tool for activists, politicians and dissidents who want to keep their conversations protected from surveillance. Messaging apps like Signal, WhatsApp, Telegram and iMessage have end-to-end encryption, which means that the conversations are hidden even from the companies themselves. 

While the encryption protects your messages from surveillance, it doesn't mean that the apps themselves are immune. In May, reports disclosed a WhatsApp flaw that allowed hackers to install spyware on devices with a simple phone call. Security researchers also disclosed a Telegram vulnerability in 2017 that allowed hackers to take over accounts.

The new vulnerability disclosed on Monday doesn't allow for account hijacking, but it was ripe for fraud, Symantec's researchers said. 

The security flaw stemmed from how media files are stored on WhatsApp and Telegram, Symantec said in a blog post. When files are stored on external storage, other apps can access and manipulate them. On WhatsApp, files are stored externally by default, while on Telegram, the vulnerability is present if "Save to Gallery" is enabled.

Symantec's researchers tested malware it created to manipulate image and audio files sent through WhatsApp and Telegram. In a demo clip , a person sent a photo of two friends, and the malware on the recipient's device automatically replaced it with the actor Nicolas Cage over their faces.

"WhatsApp has looked closely at this issue and it's similar to previous questions about mobile device storage impacting the app ecosystem. WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android's ongoing development," WhatsApp said in a statement.

Telegram didn't respond to a request for comment. 

If you're using these apps, you can protect yourself from this risk by changing your settings for media storage. On WhatsApp, you can do this by going to settings, and toggling off "Media Visibility." On Telegram, you can protect yourself by toggling off "Save to Gallery." 

But WhatsApp said in an email that the suggested changes could create privacy issues and limit how images are shared. Many apps store images in external storage so people can save pictures even when the app is uninstalled, and most Android devices don't provide enough internal storage, the company said.

An imposter Telegram 

Symantec's researchers also discovered a separate issue with Telegram, with a fake version of the app on the Google Play Store. 

The app, called MobonoGram, promoted itself as an enhanced version of Telegram with extra features. That would be true, if the extra features meant visiting malicious websites like pornography and scams in the background. This malware would also slow down users' devices and drain its battery life.

The fraudulent app was downloaded more than 100,000 times before it was removed from the Google Play store. Google confirmed it was removed and said it banned the developers.

Researchers found another imposter app, called Whatsgram, that served the same attacks, from the same developers. Symantec said it's blocked more than 1,200 apps related to these developers from January to May, with most infections happening in the US, Iran and India.

Originally published July 15 at 3 a.m. PT.
Updated at 6:15 a.m. PT: Adds comments from WhatsApp.

Watch this: Finding our personal data on the dark web was far too easy