An interesting start to the week for WhatsApp. Just hours after Telegram’s Pavel Durov warned that Meta’s messenger has “multiple attack vectors,” comes a report that Google has found a serious WhatsApp vulnerability that “opens up (an) attack surface.”
Any warning from Google’s Project Zero threat hunters is taken seriously. This is the team behind many of the zero-day spyware discoveries plaguing Android and iPhone. This threat affects WhatsApp on Android, and relates to zero-click media downloads.
The attack works when a victim and one of the victim’s contacts are added to a new WhatsApp group. The attacker then makes the victim’s contact an admin of the group, and then sends a malicious media attachment to that group. This will likely be automatically download to the victim’s phone, which then opens the attack surface.
Google says Meta is currently working on a fix. They “pushed a server change on November 11 that partially resolved the issue, but are working on a comprehensive fix.” Meanwhile, Google tells users to “disable Automatic Download or enable WhatsApp Advance Privacy Mode, (t0) prevent the file from being automatically downloaded.”
I have warned before that automatically downloading media from any message platform is dangerous. The messaging app is a sandbox, and should contain the threat. But once a file is added to a general media store that all changes.
This would likely be a targeted attack, Google says, because an attacker must know or guess a contact “making it lower severity than a full contact gating bypass.” But the Project Zero team warns “it’s easy to attempt this many times in quick succession, and likely easy to guess contacts in targeted attacks.”
Neowin spotted the Project Zero report, and explains it was reported privately to Meta on September 1, 2025, “giving the firm the standard 90 days to fix the issue before it was made public. Following Meta’s failure to issue a fix by November 30, 2025, the vulnerability was made public.”
Confirmation Meta is working on a fix came on December 4, “The ticket has not been updated with new communications since then,” Neowin says, “which would indicate that this bug is still open.” I have reached out to Meta for any response.
It’s worth making those changes anyway, regardless of any fix. You should not let media files download to your phone automatically. Only do so if you are sure of the sender and the origination of the file. Otherwise leave it where it is.
Meanwhile, Durov issued that unrelated warning on X: “You’d have to be braindead to believe WhatsApp is secure in 2026. When we analyzed how WhatsApp implemented its ‘encryption,’ we found multiple attack vectors.” There is nothing to substantiate this claim, and so for now it can be filed alongside Telegram’s other strikes at WhatsApp.
