Google Warns Android Users of WhatsApp Vulnerability That Opens New Attack Surface

Google has issued a warning to Android users after identifying a serious vulnerability in WhatsApp that could be exploited in targeted cyber attacks.

The alert comes from Google’s elite Project Zero threat research team, which is known for uncovering high impact zero day vulnerabilities affecting major platforms. According to the report, the flaw affects WhatsApp on Android devices and is linked to zero click media downloads, a class of attacks that can occur without any direct interaction from the victim.

The vulnerability works through WhatsApp group functionality. An attacker can add both the victim and one of the victim’s contacts to a newly created group, promote the known contact to an administrator role, and then send a malicious media file to the group. Because media files are often set to download automatically, the file can be saved to the victim’s device without being opened, creating what Google describes as a new attack surface.

Google said that Meta, which owns WhatsApp, has acknowledged the issue and is working on a fix. A server side change introduced on November 11 partially addressed the problem, but Google said a comprehensive fix is still in development.

In the meantime, users are being urged to take action to protect themselves. Google recommends disabling automatic media downloads or enabling WhatsApp’s Advanced Privacy Mode to prevent files from being downloaded automatically.

The Project Zero team noted that the vulnerability is likely to be used in targeted attacks, as an attacker must know or guess at least one of the victim’s contacts. However, researchers warned that it would be easy to attempt this attack repeatedly and that guessing contacts may be feasible in focused campaigns.

The issue was first reported privately to Meta on September 1, 2025, under the standard 90 day disclosure window. After no full fix was released by November 30, the vulnerability was made public. According to reporting by Neowin, confirmation that Meta was working on the issue came on December 4, but there have been no further updates since, suggesting the bug remains unresolved.

Security experts have long warned about the risks of automatically downloading media from messaging apps. While the apps themselves may operate in a sandboxed environment, files saved to a device’s general media storage can potentially expose users to wider system level threats.

The warning also follows unrelated public criticism of WhatsApp’s security by Pavel Durov, who claimed the platform has multiple attack vectors. Those claims have not been substantiated and are not directly connected to the vulnerability identified by Google.

For now, cybersecurity experts say the safest approach is to disable automatic media downloads across messaging apps and only download files when the sender and source are fully trusted.

Photo Credit: DepositPhotos.com