Have you heard of media file jacking attacks? This is the type of attack where malicious actors become capable of manipulating media files. Unfortunately, the media file jacking attack is not hypothetical.
Symantec’s Modern OS Security team just reported that WhatsApp and Telegram are both vulnerable to this attack. WhatsApp for Android, in particular, is vulnerable by default, where Telegram for Android is when specific features are enabled.
Where Does the File Jacking Vulnerability Stem From?
“It stems from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume”, the researchers explained in their report.
The critical time lapse opens a gate for attackers to intercept and manipulate media files. Of course, this is done without the knowledge or permission of the Android device’s owner. In case of a successful exploit, sensitive information could be abused or altered, including personal photos and videos, important documents, invoices, voice memos. Furthermore, threat actors could also exploit the relations between a sender and a receiver in a communication to their personal gain.
The main concern with this vulnerability, however, lies elsewhere:
The Media File Jacking threat is especially concerning in light of the common perception that the new generation of IM apps is immune to content manipulation and privacy risks, thanks to the utilization of security mechanisms such as end-to-end encryption.
Media File Jacking Attack: the Consequences
The attack is similar to the so-called man-in-the-disk attack. Shortly put, a malicious app installed on a recipient’s device can be used to hijack private media files which are sent via the device’s external storage.
Basically, there are four attack scenarios stemming from the media file jacking vulnerability.
1. Image manipulation, where “a seemingly innocent, but actually malicious, app downloaded by a user can manipulate personal photos in near-real time and without the victim knowing.”
2. Payment manipulation, where “a malicious actor can manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account.”
3. Audio message spoofing, where “an attacker exploits the relations of trust between employees in an organization.”
4. Fake news spread via Telegram: “In Telegram, admins use the concept of “channels” to broadcast messages to an unlimited number of subscribers who consume the published content. An attacker can change the media files that appear in the channel feed in real time.”
The Symantec security team has notified both Telegram and Facebook about the media file jacking vulnerability. It is highly likely that Google will address the problem with the release of Android Q. Further details about addressing the issue are available in the report.
It is noteworthy that in August 2018, a particular vulnerability in WhatsApp could allow malicious users to infiltrate group chats and manipulate the messages of individual users. The hackers could take advantage of the malicious method and abuse it to intercept and change contents of messages sent in private conversations or large group chats.