Mohammedia – First recognized by safety researchers on September 1, 2025, a safety flaw in WhatsApp for Android uncovered a quiet however worrying hole in how the app handles media downloads in group chats, permitting photographs to be saved on a consumer’s cellphone with out them ever opening the dialog.
The problem remained undisclosed till December, after the 90-day accountable disclosure window expired.
At its core, the bug broke considered one of WhatsApp’s key security assumptions: that recordsdata from strangers gained’t land in your gadget until you work together first.
Usually, WhatsApp requires not less than some motion — replying to a message, opening a gaggle, or manually tapping “obtain” — earlier than media from non-contacts is saved. That is meant to scale back spam, scams, and safety dangers.
However researchers discovered a approach round it. In response to a report credited to Google Mission Zero, an attacker might create a WhatsApp group, add a sufferer, then add one of many sufferer’s current contacts to that group and promote them to admin.
From there, the attacker might ship a picture to the group — and the sufferer’s cellphone would mechanically obtain it, even when the sufferer by no means opened the group or interacted with the message. The picture wouldn’t even obtain for the promoted contact, solely the sufferer.
As soon as a file is downloaded, it may be listed by Android’s MediaStore system, the place different apps could possibly see or course of it.
Whereas this bug didn’t enable direct hacking by itself, it lowered the barrier for follow-up assaults and made focused abuse simpler, particularly if an attacker might guess or acquire a single contact linked to the sufferer.
The problem affected WhatsApp Android variations 2.25.22.80 and a pair of.25.23.81. Meta initially pushed a partial server-side repair in November 2025, however researchers mentioned it didn’t totally resolve the issue. After the 90-day disclosure deadline handed, the bug was made public.
By late January 2026, Meta confirmed {that a} complete repair — together with associated variants — had been rolled out.
For customers, this episode is a reminder that safety isn’t nearly malware or apparent scams. Typically it’s about silent conduct occurring within the background.
There are a couple of sensible steps customers can take to guard themselves. Disabling computerized media downloads in WhatsApp settings considerably reduces threat. Turning on Superior Privateness Mode additionally helps restrict how recordsdata are dealt with. Protecting apps up to date is important, as fixes typically arrive unannounced. And as at all times, be cautious about unfamiliar teams — particularly ones you didn’t ask to affix.
Learn additionally: The best way to Put together for New Cyber Threats Rising in 2026
