Google Issues WhatsApp Attack Warning For All Android Users
Google Issues WhatsApp Attack Warning For All Android Users
Publish Date: 2026-01-26 17:44:00
Source Domain: www.forbes.com
WhatsApp attack warning
AFP via Getty Images
An interesting start to the week for WhatsApp. Just hours after Telegram’s Pavel Durov warned that Meta’s messenger has “multiple attack vectors,” comes a report that Google has found a serious WhatsApp vulnerability that “opens up (an) attack surface.”
Any warning from Google’s Project Zero threat hunters is taken seriously. This is the team behind many of the zero-day spyware discoveries plaguing Android and iPhone. This threat affects WhatsApp on Android, and relates to zero-click media downloads.
The attack works when a victim and one of the victim’s contacts are added to a new WhatsApp group. The attacker then makes the victim’s contact an admin of the group, and then sends a malicious media attachment to that group. This will likely be automatically download to the victim’s phone, which then opens the attack surface.
Google says Meta is currently working on a fix. They “pushed a server change on November 11 that partially resolved the issue, but are working on a comprehensive fix.” Meanwhile, Google tells users to “disable Automatic Download or enable WhatsApp Advance Privacy Mode, (t0) prevent the file from being automatically downloaded.”
Attack vulnerability
Google Project Zero
I have warned before that automatically downloading media from any message platform is dangerous. The messaging app is a sandbox, and should contain the threat. But once a file is added to a general media store that all changes.
This would likely be a targeted attack, Google says, because an attacker must know or guess a contact “making it lower severity than a full contact gating bypass.” But the Project Zero team warns “it’s easy to attempt this many times in quick succession, and likely easy to guess contacts in targeted attacks.”
Neowin spotted the Project Zero report, and explains it was reported privately to Meta on…
