Though WhatsApp and Telegram tout themselves as secure messaging services, faulty developer coding that allows cyberattackers to intercept media files sent on the Android versions of the services (like photos and videos, documents and voice memos) undercuts that claim.
The security weakness, dubbed Media File Jacking, is a variant of the “man in the disk” flaw revealed by Check Point at DEFCON last year. It arises from the fact that Android’s OS makes use of two types of storage – internal storage which provides every app with its own sandbox and is not accessible by other apps; and an external storage mechanism that uses a removable SD card. This latter storage is shared across the OS, because it’s designed to enable apps to transfer data from one app to another. So, if a user takes a picture and then wants to send it to someone using a messaging app, the external storage is the platform that allows this to happen.
By default, WhatsApp stores media files received by a device in external storage. In Telegram, the app does so if a user enables the “Save to Gallery” feature. In both cases though, the services lack proper security mechanisms to prevent other apps with write-to-external storage permissions to access the files, researchers said.
Exacerbating the issue is a time lapse between when media files are received and written to disk, and when they show up in users’ chats, according to researchers. During that short window, malicious actors can intervene and access the files without the user’s knowledge, despite the fact that the apps use end-to-end encryption.
Thus, adversaries can convince someone to download a rogue app (via various social-engineering techniques) with write-to-external storage permissions, which can wait and silently listen for a media file to be written to the external storage disk. It can then instantaneously copy or manipulate the file (or just replace it with another file entirely) before it shows up in the recipient’s chat window.
“Think of it like a race between the attacker and the app loading the files,” said Alon Gat, software engineer with Symantec, in a Monday posting on the issue. “If the attacker gets to the files first – this can happen almost in real time if the malware monitors the public directories for changes – recipients will see the manipulated files before ever seeing the originals. Moreover, the thumbnail that appears in the notification that users see will also show the manipulated image or file, so recipients will have no indication that files were changed. Additionally, data can be manipulated on WhatsApp both when sending files – meaning the attack is launched on the sender’s device – and when receiving files – with the attack happening on the receiving device.”
Google provides developer guidelines meant to act as a road map for security best practices. These include advice such as never writing critical or sensitive data files to the external storage, and not using it to store executables or files that impact the way apps operate. Also, external storage files should be signed and cryptographically verified prior to dynamic loading, Google advises.
However, in WhatsApp and Telegram’s case, “Neither app has any measures in place to protect their users from a Media File Jacking attack,” Gat said.
The attack vector can be used in a number of attack scenarios, such as on-the-fly image manipulation. Imagine, for instance the media files of a politician running for office or a company executive being photoshopped, allowing attackers to extort or frame targets. Or, a malicious actor can manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account.
There’s also audio message spoofing to consider.
“A CEO sends his CFO an audio message, via WhatsApp, requesting updated slides for a board meeting next week,” Gat explained. “The attacker, using voice reconstruction via deep learning technology – something that is becoming more and more feasible today – alters the original audio file to communicate to the CFO, in the CEO’s own voice, that a payment needs to be transferred immediately to a fictitious party, which is in fact the attacker.”
And finally, in Telegram, admins can broadcast messages to an unlimited number of subscribers to various “channels.” An attacker could change the media files that appear in the channel feed in real time, resulting in reputational or credibility damage.
In any event, WhatsApp and Telegram users should be aware that the services’ built-in encryption doesn’t solve the issue, according to researchers.
“The Media File Jacking threat is especially concerning in light of the common perception that the new generation of IM apps is immune to content manipulation and privacy risks, thanks to the utilization of security mechanisms such as end-to-end encryption,” said Gat. “While end-to-end encryption is an effective mechanism to ensure the integrity of communications, it isn’t enough if app-level vulnerabilities exist in the code.”
Neither Telegram nor WhatsApp immediately responded to a request for comment on this story, though Gat said both were notified of the issue.
Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More