Description
WhatsApp is going through a rough patch. Some users would argue it has been ever since Meta acquired the once widely trusted messaging platform. User sentiment has shifted from “trusted default messenger” to a grudgingly necessary Meta product.
Privacy-aware users still see WhatsApp as one of the more secure mass-market messaging platforms if you lock down its settings. Even then, many remain uneasy about Meta’s broader ecosystem, and wish all their contacts would switch to a more secure platform.
Back to current affairs, which will only reinforce that sentiment.
Google’s Project Zero has just disclosed a WhatsApp vulnerability where a malicious media file, sent into a newly created group chat, can be automatically downloaded and used as an attack vector.
The bug affects WhatsApp on Android and involves zero‑click media downloads in group chats. You can be attacked simply by being added to a group and having a malicious file sent to you.
According to Project Zero, the attack is most likely to be used in targeted campaigns, since the attacker needs to know or guess at least one contact. While focused, it is relatively easy to repeat once an attacker has a likely target list.
And to put a cherry on top for WhatsApp’s competitors, a potentially even more serious concern for the popular messaging platform, an international group of plaintiffs sued Meta Platforms, alleging the WhatsApp owner can store, analyze, and access virtually all of users' private communications, despite WhatsApp’s end-to-end encryption claims.
## How to secure WhatsApp
Reportedly, Meta pushed a server change on November 11, 2025, but Google says that only partially resolved the issue. So, Meta is working on a comprehensive fix.
Google’s advice is to disable Automatic Download or enable WhatsApp’s Advanced Privacy Mode so that media is not automatically downloaded to your phone.
And you’ll need to keep WhatsApp updated to get the latest patches, which is true for any app and for Android itself.
### Turn off auto-download of media
Goal: ensure that no photos, videos, audio, or documents are pulled to the device without an explicit decision.
* Open WhatsApp on your Android device.
* Tap the three‑dot menu in the top‑right corner, then tap **Settings**.
* Go to **Storage and data** (sometimes labeled **Data and storage usage**).
* Under **Media auto-download** , you will see **When using mobile data** , **when connected on Wi‑Fi**. and **when roaming**.
* For each of these three entries, tap it and uncheck all media types: **Photos** , **Audio** , **Videos** , **Documents**. Then tap **OK**.
* Confirm that each category now shows something like “No media” under it.
Doing this directly implements Project Zero’s guidance to “disable Automatic Download” so that malicious media can't silently land on your storage as soon as you are dropped into a hostile group.
### Stop WhatsApp from saving media to your Android gallery
Even if WhatsApp still downloads some content, you can stop it from leaking into shared storage where other apps and system components see it.
* In **Settings** , go to **Chats**.
* Turn off **Media visibility** (or similar option such as **Show media in gallery**). For particularly sensitive chats, open the chat, tap the contact or group name, find **Media visibility** , and set it to **No** for that thread.
WhatsApp is a sandbox, and should contain the threat. Which means, keeping media inside WhatsApp makes it harder for a malicious file to be processed by other, possibly more vulnerable components.
### Lock down who can add you to groups
The attack chain requires the attacker to add you and one of your contacts to a new group. Reducing who can do that lowers risk.
* In **Settings** , tap **Privacy**.
* Tap **Groups**.
* Change from Everyone to My contacts or ideally My contacts except… and exclude any numbers you do not fully trust.
* If you use WhatsApp for work, consider keeping group membership strictly to known contacts and approved admins.
### Set up two-step verification on your WhatsApp account
Read this guide for Android and iOS to learn how to do that.
* * *
**We don’t just report on phone security—we provide it**
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.
Privacy-aware users still see WhatsApp as one of the more secure mass-market messaging platforms if you lock down its settings. Even then, many remain uneasy about Meta’s broader ecosystem, and wish all their contacts would switch to a more secure platform.
Back to current affairs, which will only reinforce that sentiment.
Google’s Project Zero has just disclosed a WhatsApp vulnerability where a malicious media file, sent into a newly created group chat, can be automatically downloaded and used as an attack vector.
The bug affects WhatsApp on Android and involves zero‑click media downloads in group chats. You can be attacked simply by being added to a group and having a malicious file sent to you.
According to Project Zero, the attack is most likely to be used in targeted campaigns, since the attacker needs to know or guess at least one contact. While focused, it is relatively easy to repeat once an attacker has a likely target list.
And to put a cherry on top for WhatsApp’s competitors, a potentially even more serious concern for the popular messaging platform, an international group of plaintiffs sued Meta Platforms, alleging the WhatsApp owner can store, analyze, and access virtually all of users' private communications, despite WhatsApp’s end-to-end encryption claims.
## How to secure WhatsApp
Reportedly, Meta pushed a server change on November 11, 2025, but Google says that only partially resolved the issue. So, Meta is working on a comprehensive fix.
Google’s advice is to disable Automatic Download or enable WhatsApp’s Advanced Privacy Mode so that media is not automatically downloaded to your phone.
And you’ll need to keep WhatsApp updated to get the latest patches, which is true for any app and for Android itself.
### Turn off auto-download of media
Goal: ensure that no photos, videos, audio, or documents are pulled to the device without an explicit decision.
* Open WhatsApp on your Android device.
* Tap the three‑dot menu in the top‑right corner, then tap **Settings**.
* Go to **Storage and data** (sometimes labeled **Data and storage usage**).
* Under **Media auto-download** , you will see **When using mobile data** , **when connected on Wi‑Fi**. and **when roaming**.
* For each of these three entries, tap it and uncheck all media types: **Photos** , **Audio** , **Videos** , **Documents**. Then tap **OK**.
* Confirm that each category now shows something like “No media” under it.
Doing this directly implements Project Zero’s guidance to “disable Automatic Download” so that malicious media can't silently land on your storage as soon as you are dropped into a hostile group.
### Stop WhatsApp from saving media to your Android gallery
Even if WhatsApp still downloads some content, you can stop it from leaking into shared storage where other apps and system components see it.
* In **Settings** , go to **Chats**.
* Turn off **Media visibility** (or similar option such as **Show media in gallery**). For particularly sensitive chats, open the chat, tap the contact or group name, find **Media visibility** , and set it to **No** for that thread.
WhatsApp is a sandbox, and should contain the threat. Which means, keeping media inside WhatsApp makes it harder for a malicious file to be processed by other, possibly more vulnerable components.
### Lock down who can add you to groups
The attack chain requires the attacker to add you and one of your contacts to a new group. Reducing who can do that lowers risk.
* In **Settings** , tap **Privacy**.
* Tap **Groups**.
* Change from Everyone to My contacts or ideally My contacts except… and exclude any numbers you do not fully trust.
* If you use WhatsApp for work, consider keeping group membership strictly to known contacts and approved admins.
### Set up two-step verification on your WhatsApp account
Read this guide for Android and iOS to learn how to do that.
* * *
**We don’t just report on phone security—we provide it**
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.
Basic Information
ID
MALWAREBYTES:C8ECDDB8B9FFD93D1889E0DF9D42BF54
Published
Jan 27, 2026 at 11:55