Mohammedia – First identified by security researchers on September 1, 2025, a security flaw in WhatsApp for Android exposed a quiet but worrying gap in how the app handles media downloads in group chats, allowing images to be saved on a user’s phone without them ever opening the conversation.
The issue remained undisclosed until December, after the 90-day responsible disclosure window expired.
At its core, the bug broke one of WhatsApp’s key safety assumptions: that files from strangers won’t land on your device unless you interact first.
Normally, WhatsApp requires at least some action — replying to a message, opening a group, or manually tapping “download” — before media from non-contacts is saved. This is meant to reduce spam, scams, and security risks.
But researchers found a way around it. According to a report credited to Google Project Zero, an attacker could create a WhatsApp group, add a victim, then add one of the victim’s existing contacts to that group and promote them to admin.
From there, the attacker could send an image to the group — and the victim’s phone would automatically download it, even if the victim never opened the group or interacted with the message. The image wouldn’t even download for the promoted contact, only the victim.
Once a file is downloaded, it can be indexed by Android’s MediaStore system, where other apps may be able to see or process it.
While this bug didn’t allow direct hacking on its own, it lowered the barrier for follow-up attacks and made targeted abuse easier, especially if an attacker could guess or obtain a single contact linked to the victim.
The issue affected WhatsApp Android versions 2.25.22.80 and 2.25.23.81. Meta initially pushed a partial server-side fix in November 2025, but researchers said it didn’t fully solve the problem. After the 90-day disclosure deadline passed, the bug was made public.
By late January 2026, Meta confirmed that a comprehensive fix — along with related variants — had been rolled out.
For users, this episode is a reminder that security isn’t just about malware or obvious scams. Sometimes it’s about silent behavior happening in the background.
There are a few practical steps users can take to protect themselves. Disabling automatic media downloads in WhatsApp settings significantly reduces risk. Turning on Advanced Privacy Mode also helps limit how files are handled. Keeping apps updated is critical, as fixes often arrive unannounced. And as always, be cautious about unfamiliar groups — especially ones you didn’t ask to join.
Read also: How to Prepare for New Cyber Threats Emerging in 2026
