Security experts at Symantec devised an attack technique dubbed Media File Jacking that could allow attackers to manipulate media files that can be received via WhatsApp and Telegram Android apps. The issue could potentially affect many other Android apps as well.
The attack technique leverages the fact that any app installed on a device can access and rewrite files saved in the external storage, including the files saved by other apps. Popular apps like WhatsApp and Telegram allow users to choose where to store the file. The researchers pointed out that unlike Telegram for Android.
Anyway, many Telegram users prefer to save their data to external storage using the “Save to Gallery” option.
“The security flaw, dubbed “Media File Jacking”, affects WhatsApp for Android by default, and Telegram for Android if certain features are enabled.” reads the report published by Symantec. “It stems from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume.”
A malicious app installed on the recipient’s device can intercept and manipulate media files, including photos, documents, or videos stored on the external storage, that are exchanged between users. The attack is completely transparent
“The fact that files are stored in, and loaded from, external storage without proper security mechanisms, allows other apps with write-to-external storage permission to risk the integrity of the media files,” continues the analysis. ” Write-to-external storage (WRITE_EXTERNAL_STORAGE) is a common permission requested by Android apps, with over a million apps in Google Play having this access. In fact, based on our internal app data, we found nearly 50% of a given device’s apps have this permission.”
Researchers presented four attack scenarios that see a malicious app manipulating media files sent to the recipient:
The malicious, app downloaded by a user can run in the background to perform a Media File Jacking attack while the victim uses WhatsApp or Telegram and manipulate images in near-real-time.
2.) Payment manipulation
The attackers can manipulate an invoice sent by a vendor to the recipient and trick them into making a payment.
3.) Audio message spoofing
Attackers can use voice reconstruction via deep learning technology to modify the original audio message for malicious purposes.
4.) Spread fake news
In Telegram, attackers can carry out Media File Jacking attacks to alter media files that appear in a trusted channel feed in real-time to spread fake news.
To ensure that media files are kept safe from attackers, Symantec
Symantec shared its findings with both Telegram and WhatsApp, the experts explained that the vulnerability will be addressed by Google with the Android Q update.
“With the release of Android Q, Google plans to enact changes to the way apps access files on a device’s external storage. Android’s planned Scoped Storage is more restrictive, which may help mitigate threats like the WhatsApp/Telegram flaw we found.”concludes Symantec. “Scoped Storage means that apps will have their own storage area in an app-specific directory, but will be prevented from accessing files in the entire storage partition, unless an explicit permission is granted by the user.”