WhatsApp漏洞允许恶意媒体文件通过群聊传播。

WhatsApp漏洞允许恶意媒体文件通过群聊传播。
A WhatsApp bug lets malicious media files spread through group chats

原始链接: https://www.malwarebytes.com/blog/news/2026/01/a-whatsapp-bug-lets-malicious-media-files-spread-through-group-chats

## WhatsApp 面临安全与隐私问题 WhatsApp 被 Meta 收购后，用户对其信任度不断下降，尽管已采用端到端加密，但仍存在隐私方面的担忧。近期的问题加剧了这些顾虑。 Google 的 Project Zero 发现了一种漏洞，恶意文件只需通过将用户添加到 Android 上的 WhatsApp 群组即可下载——这是一种“零点击”攻击。虽然可能被用于定向活动，但它构成重大风险。更严重的是，一项诉讼声称 Meta 即使在承诺加密的情况下也能访问用户通信，这源于 2023 年底的一次服务器更改。Meta 正在努力进行全面修复。 **为了降低风险，用户应：** * **禁用自动媒体下载：** 防止文件静默下载到您的设备。 * **限制群组访问：** 限制谁可以将您添加到群组。 * **启用双重验证：** 添加额外的账户安全层。 * **保持 WhatsApp 更新：** 确保您拥有最新的安全补丁。这些步骤旨在控制 WhatsApp 内的潜在威胁，并防止恶意文件影响您的设备。

最近WhatsApp出现了一个漏洞，由Google Project Zero报告并已通过更新修复。该漏洞可能导致恶意软件通过群组聊天中的恶意媒体文件传播。最初的报道因缺乏指向详细描述该漏洞的Project Zero报告的直接链接而受到批评。该漏洞集中在WhatsApp处理媒体文件的方式上，如果精心设计的恶意载荷利用Android媒体库中的漏洞，可能导致代码执行。仅仅下载文件不足以触发漏洞利用，但放置在手机媒体文件夹中的文件可能会被系统处理，从而可能激活恶意代码。建议用户更新WhatsApp到最新版本。作为预防措施，启用“锁定模式”并禁用自动媒体下载可以进一步降低风险，但核心问题现已解决。此漏洞利用凸显了接受来自不可信来源的媒体的危险。

原文

WhatsApp is going through a rough patch. Some users would argue it has been ever since Meta acquired the once widely trusted messaging platform. User sentiment has shifted from “trusted default messenger” to a grudgingly necessary Meta product.

Privacy-aware users still see WhatsApp as one of the more secure mass-market messaging platforms if you lock down its settings. Even then, many remain uneasy about Meta’s broader ecosystem, and wish all their contacts would switch to a more secure platform.

Back to current affairs, which will only reinforce that sentiment.

Google’s Project Zero has just disclosed a WhatsApp vulnerability where a malicious media file, sent into a newly created group chat, can be automatically downloaded and used as an attack vector.

The bug affects WhatsApp on Android and involves zero‑click media downloads in group chats. You can be attacked simply by being added to a group and having a malicious file sent to you.

According to Project Zero, the attack is most likely to be used in targeted campaigns, since the attacker needs to know or guess at least one contact. While focused, it is relatively easy to repeat once an attacker has a likely target list.

And to put a cherry on top for WhatsApp’s competitors, a potentially even more serious concern for the popular messaging platform, an international group of plaintiffs sued Meta Platforms, alleging the WhatsApp owner can store, analyze, and access virtually all of users’ private communications, despite WhatsApp’s end-to-end encryption claims.

Reportedly, Meta pushed a server change on November 11, 2025, but Google says that only partially resolved the issue. So, Meta is working on a comprehensive fix.

Google’s advice is to disable Automatic Download or enable WhatsApp’s Advanced Privacy Mode so that media is not automatically downloaded to your phone.

And you’ll need to keep WhatsApp updated to get the latest patches, which is true for any app and for Android itself.

Turn off auto-download of media

Goal: ensure that no photos, videos, audio, or documents are pulled to the device without an explicit decision.

Open WhatsApp on your Android device.
Tap the three‑dot menu in the top‑right corner, then tap Settings.
Go to Storage and data (sometimes labeled Data and storage usage).
Under Media auto-download, you will see When using mobile data, when connected on Wi‑Fi. and when roaming.
For each of these three entries, tap it and uncheck all media types: Photos, Audio, Videos, Documents. Then tap OK.
Confirm that each category now shows something like “No media” under it.

Doing this directly implements Project Zero’s guidance to “disable Automatic Download” so that malicious media can’t silently land on your storage as soon as you are dropped into a hostile group.

Stop WhatsApp from saving media to your Android gallery

Even if WhatsApp still downloads some content, you can stop it from leaking into shared storage where other apps and system components see it.

In Settings, go to Chats.
Turn off Media visibility (or similar option such as Show media in gallery). For particularly sensitive chats, open the chat, tap the contact or group name, find Media visibility, and set it to No for that thread.

WhatsApp is a sandbox, and should contain the threat. Which means, keeping media inside WhatsApp makes it harder for a malicious file to be processed by other, possibly more vulnerable components.

Lock down who can add you to groups

The attack chain requires the attacker to add you and one of your contacts to a new group. Reducing who can do that lowers risk.

In Settings, tap Privacy.
Tap Groups.
Change from Everyone to My contacts or ideally My contacts except… and exclude any numbers you do not fully trust.
If you use WhatsApp for work, consider keeping group membership strictly to known contacts and approved admins.

Set up two-step verification on your WhatsApp account

Read this guide for Android and iOS to learn how to do that.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.