Jump to content
Report any bug Read more... ×
We're hiring! We are accepting applications for Developers, Teachers, Redactors and Junior Moderators. Read more... ×
Search In
  • More options...
Find results that contain...
Find results in...

Create an account on our board

or login and enjoy all the possibilities

Existing user? Sign In

Sign In



Sign Up

Learn Or Teach

You can learn computer security by practicing in the Dashboard, you can also be taught by a teacher. Or You can teach community members regardless of your specialty, and earn points for each person!

Learn or Teach

The Challenges

The new Challenges page is here. Take advantage of several vulnerable web applications to help train you such as, DVWA, XVWA, Mutillidae. You can also launch an existing or custom virtual machine.

Play Now !

Collaboration Room

The first categories of the forum are rooms that you can create or join in order to participate in events with the other members of the community. You can also create your room to make a teaching request, or attend your teacher's presentation. In this room you can create a private forum, store your information, invite other people etc.

Create Room

Create your club

You can create a club with your friends, earn points in teams. Creating a club gives you access to a team space. There you will have a private forum where you can store files, share information etc. Invite your friends and play together!

Create yours now!

VIP

Several VIP packs are available, understand that the survival of this site depends on it. Of course you can buy this pack with your points won during events. Formulas: Vip Member Vip Teacher Vip student

Buy
News
  • For new users read this
  • Challenges
  • for new users thank you to post in introduction and answer "Accept" on the topic of the rules to have access to the integrity of the forum and receive your Exploit-Code
  • The challenges board is being developed you are likely to encounter some bugs if this is the case report to an administrator.

Hackers Can Manipulate Media Files You Receive Via WhatsApp and Telegram

Sign in to follow this  
AdminSec

84 views

<!> Hackers Can Manipulate Media Files You Receive Via WhatsApp and Telegram <!>

whatsapp-telegram.jpg

If you think that the media files you receive on your end-to-end encrypted secure messaging apps can not be tampered with, you need to think again.

Security researchers at Symantec yesterday demonstrated multiple interesting attack scenarios against WhatsApp and Telegram Android apps, which could allow malicious actors to spread fake news or scam users into sending payments to wrong accounts.

Dubbed "Media File Jacking," the attack leverages an already known fact that any app installed on a device can access and rewrite files saved in the external storage, including files saved by other apps installed on the same device.

WhatsApp and Telegram allow users to choose if they want to save all incoming multimedia files on internal or external storage of their device.

However, WhatsApp for Android by default automatically stores media files in the external storage, while Telegram for Android uses internal storage to store users files that are not accessible to any other app.

But, many Telegram users manually change this setting to external storage, using "Save to Gallery" option in the settings, when they want to re-share received media files with their friends using other communication apps like Gmail, Facebook Messenger or WhatsApp.

It should be noted that the attack is not just limited to WhatsApp and Telegram, and affects the functionality and privacy of many other Android apps as well.

media-file-jacking-attack.png

Just like man-in-the-disk attacks, a malicious app installed on a recipient's device can intercept and manipulate media files, such as private photos, documents, or videos, sent between users through the device's external storage—all without the recipients' knowledge and in real-time.

 

Quote

"The fact that files are stored in, and loaded from, external storage without proper security mechanisms, allows other apps with write-to-external storage permission to risk the integrity of the media files," researchers said in a blog post.

 

Quote

"Attackers could take advantage of the relations of trust between a sender and a receiver when using these IM apps for personal gain or wreaking havoc."

Researchers illustrated and demonstrated four attack scenarios, as explained below, where a malware app can instantaneously analyze and manipulate incoming files, leading to:
 

1.) Image manipulation

In this attack scenario, a seemingly innocent-looking, but actually malicious, app downloaded by a user can run in the background to perform a Media File Jacking attack while the victim uses WhatsApp and "manipulate personal photos in near-real-time and without the victim knowing."

 

2.) Payment manipulation

In this scenario, which researchers call "one of the most damaging Media File Jacking attacks," a malicious actor can manipulate an invoice sent by a vendor to customers to trick them into making a payment to an account controlled by the attacker.
 

3.) Audio message spoofing

In this attack scenario, attackers can exploit the relations of trust between employees in an organization. They can use voice reconstruction via deep learning technology to alter an original audio message for their personal gain or to wreak havoc.
 

4.) Spread fake news

In Telegram, admins use the concept of "channels" in order to broadcast messages to an unlimited number of subscribers who consume the published content. Using Media File Jacking attacks, an attacker can change the media files that appear in a trusted channel feed in real-time to spread fake news.
 

How to Prevent Hackers from Hijacking Your Android Files ?


Symantec already notified Telegram and Facebook/WhatsApp about the Media File Jacking attacks, but it believes the issue will be addressed by Google with its upcoming Android Q update.

Android Q includes a new privacy feature called Scoped Storage that changes the way apps access files on a device's external storage.

Scoped Storage gives each app an isolated storage sandbox into the device external storage where no other app can directly access data saved by other apps on your device.

Until then, users can mitigate the risk of such attacks by disabling the feature responsible for saving media files to the device's external storage. To do so, Android users can head on to:

 

WhatsApp: Settings → Chats → Turn the toggle off for 'Media Visibility'

Telegram: Settings → Chat Settings → Disable the toggle for 'Save to Gallery'

Sign in to follow this  


0 Comments


Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×