‘Media File Jacking’ is the new buzzword phrase that describes a security flaw and enables hackers to manipulate images and audio files on various platforms, and in this case ‘end-to-end encryption’ apps WhatsApp and Telegram on Android. Symantec’s Modern OS Security team explained ‘neither apps have any system in place to protect users from a Media File Jacking attack’.
“If the security flaw is exploited, a malicious attacker could misuse and manipulate sensitive information such as personal photos and videos, corporate documents, invoices, and voice memos,” wrote Software Engineer Alon Gat and Yair Amit, Vice-President and Chief Technology Officer, Modern OS Security, Symantec.
Image and payment manipulation are arguably the most damaging Media File Jacking threats. For example, in one of the most damaging Media File Jacking attacks, a malicious actor can manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account. As in the previous scenario, an app that appears to be legitimate but is in fact malicious, watches for PDF invoice files received via WhatsApp, then programmatically swaps the displayed bank account information in the invoice with that of the bad actor. The customer receives the invoice, which they were expecting to begin with, but has no knowledge that it’s been altered. By the time the trick is exposed, the money may be long gone. To make matters worse, the invoice hack could be broadly distributed in a non-targeted way, looking for any invoices to manipulate, affecting multiple victims who use IM apps like WhatsApp to conduct business, explained the team.
We detail below how to mitigate these threats:
Disabling the storage of media files in external storage
IM app users can mitigate the risk Media File Jacking by disabling the feature that saves media files to external storage. We show how to do this in WhatsApp and Telegram below.
WhatsApp: Settings -> Chats -> Media Visibility
Telegram: Settings -> Chat Settings -> Save to Gallery
A few weeks ago we removed all traces of our dilly dally with advertising. The adverts were intrusive and spoilt your enjoyment of TheAppWhisperer.com, you told us. We were happy to do this but of course the revenue did help to support our not for profit site. Therefore, please consider offering a contribution or supporting us with a regular monthly donation of your choosing, so that we can continue to bring you this high quality level of specialist journalism, day in and day out. Please reward our passion, as we reward yours…we would not ask if it was not important.