Media file jacking vulnerability found in WhatsApp and Telegram

Time lapse can be exploited to manipulate sensitive files for malicious intent

WhatsApp is back in the news following the release of new research by Symantec that reveals a vulnerability, termed ‘media file jacking’, that can affect WhatsApp and Telegram for Android. The security flaw allows malicious attackers to manipulate and modify media files such as commercial documents, photos and recordings in WhatsApp and Telegram based on the users’ settings.

The challenge of default settings

Android apps can store files and data in two storage locations: ‘internal’ and ‘external’ storage. Files saved to internal storage are accessible only by the app itself, meaning other apps cannot access them. Files saved to external storage – whether this is a generally-accessible folder on the device, or a public (e.g. cloud) folder –   can be modified by other apps or users beyond the app’s control. WhatsApp and Telegram may store media files in external storage (depending on user settings); this means that, devoid of any proper security measures in place, other apps with write-to-external storage permission can maliciously access and alter files. Effectively these apps place their root of trust in the storage medium rather than controlling the root of trust themselves.

End-to-end encryption is one part of the story

There is a common perception that instant messaging apps are immune from privacy risks and manipulation of attachments due to security features such as end-to-end encryption. Whilst end-to-end encryption is an effective mechanism it doesn’t stop the altering of files on external storage before or after the content is encrypted in transit. A user may innocently download an app unaware that it contains malware capable of manipulating files stored in external storage. An app that appears to be legitimate but is in fact malicious can intercept files, such as a PDF invoice file received via WhatsApp, then programmatically swap the displayed bank account information in the invoice with that of a malicious actor. Equally feasible (as described by Symantec) could be substitution of an altered audio recording giving fraudulent instructions, manipulation of an image or map for deceptive purposes, or even changing a Telegram channel feed to insert ‘fake news’.

Not all applications are created equally

Just as there is no such thing as a free lunch, the saying can be equally applied to applications. Data is a valuable currency and cyber criminals are in the business of quick and easy paydays. With any free app you don’t really know who has access to your information and because it’s free you don’t have any recourse. If you aren’t paying for the product, it means you ARE the product.

Employees should take security seriously but in the absence of a secure and easy to use app, people will naturally seek their own workaround solutions. Armour Mobile is a cost-effective and easy to use solution that works on everyday smartphones. With the same usability as consumer-grade apps, but with significantly enhanced security (secure message attachments are stored in the app’s encrypted database, i.e. controlling the ‘root of trust’ mentioned earlier) it could be the answer to your security needs. Contact us today to discuss a solution.