Media File Jacking allows manipulating media files users receive via Android WhatsApp and Telegram

Pierluigi Paganini July 16, 2019

Media File Jacking – Security researchers at Symantec demonstrated how to manipulate media files that can be received via WhatsApp and Telegram Android apps.

Security experts at Symantec devised an attack technique dubbed Media File Jacking that could allow attackers to manipulate media files that can be received via WhatsApp and Telegram Android apps. The issue could potentially affect many other Android apps as well.

The attack technique leverages the fact that any app installed on a device can access and rewrite files saved in the external storage, including the files saved by other apps. Popular apps like WhatsApp and Telegram allow users to choose where to store the file. The researchers pointed out that unlike Telegram for Android.

Anyway, many Telegram users prefer to save their data to external storage using the “Save to Gallery” option.

“The security flaw, dubbed “Media File Jacking”, affects WhatsApp for Android by default, and Telegram for Android if certain features are enabled.” reads the report published by Symantec. “It stems from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume.”

A malicious app installed on the recipient’s device can intercept and manipulate media files, including photos, documents, or videos stored on the external storage, that are exchanged between users. The attack is completely transparent for the recipient that is not able to see any suspicious activity.

“The fact that files are stored in, and loaded from, external storage without proper security mechanisms, allows other apps with write-to-external storage permission to risk the integrity of the media files,” continues the analysis. ” Write-to-external storage (WRITE_EXTERNAL_STORAGE) is a common permission requested by Android apps, with over a million apps in Google Play having this access. In fact, based on our internal app data, we found nearly 50% of a given device’s apps have this permission.”

media file jacking attack

Researchers presented four attack scenarios that see a malicious app manipulating media files sent to the recipient:

  1. Image manipulation

The malicious, app downloaded by a user can run in the background to perform a Media File Jacking attack while the victim uses WhatsApp or Telegram and manipulate images in near-real-time.

2.) Payment manipulation

The attackers can manipulate an invoice sent by a vendor to the recipient and trick them into making a payment.

3.) Audio message spoofing

Attackers can use voice reconstruction via deep learning technology to modify the original audio message for malicious purposes.

4.) Spread fake news

In Telegram, attackers can carry out Media File Jacking attacks to alter media files that appear in a trusted channel feed in real-time to spread fake news.

To ensure that media files are kept safe from attackers, Symantec provides the following recommendations:

  • Validate the integrity of files: Store in a metadata file a hash value for each received media file before writing it to the disk. Then, confirm that the file has not been changed (i.e. the hash is the same) before the media file is loaded by the app in the relevant chat portion for users to see. This step can help developers validate that files were not manipulated before they are loaded. This approach balances between the security (protection against Media File Jacking attacks) and functionality (e.g., supporting third party backup apps) needs of the IM apps.
  • Internal storage: If possible, store media files in a non-public directory, such as internal storage. This is a measure some IM apps have chosen.
  • Encryption: Strive to encrypt sensitive files, as is usually done for text messages in modern IM solutions. This measure, as well as the previous one, will better protect files from exposure and manipulation. The downside is that other apps, such as photo backup apps, won’t be able to easily access these files.

Symantec shared its findings with both Telegram and WhatsApp, the experts explained that the vulnerability will be addressed by Google with the Android Q update.

“With the release of Android Q, Google plans to enact changes to the way apps access files on a device’s external storage. Android’s planned Scoped Storage is more restrictive, which may help mitigate threats like the WhatsApp/Telegram flaw we found.”concludes Symantec. “Scoped Storage means that apps will have their own storage area in an app-specific directory, but will be prevented from accessing files in the entire storage partition, unless an explicit permission is granted by the user.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Media File Jacking, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment