WhatsApp hasn’t had the smoothest reputation journey. What was once a widely trusted, no-nonsense messaging app is now, for many users, a reluctant necessity tied to the wider Meta ecosystem. Even people who are privacy-conscious and careful with their settings often stay only because everyone else is still there.
Unfortunately, recent developments won’t help restore confidence.
Security researchers from Google Project Zero have disclosed a vulnerability affecting WhatsApp on Android. In short: a specially crafted media file can be used as an attack vector inside newly created group chats — without the victim tapping anything.
That’s right: zero-click.
Table of Contents
What’s the issue?
The flaw revolves around WhatsApp’s automatic media downloads in group chats. If an attacker creates a group, adds you (and at least one known contact), and sends a malicious file, your phone may automatically download it in the background. No interaction required.
According to Project Zero, this type of attack is most likely to be used in targeted campaigns, not random mass exploitation. That said, once an attacker has a list of potential targets, repeating the process is fairly trivial.
As if that weren’t enough, Meta is also facing fresh legal pressure. An international group of plaintiffs alleges that Meta can store, analyse, and access WhatsApp communications despite its end-to-end encryption claims. Whether those claims succeed in court is another matter, but the optics are… not great.
Has it been fixed?
Meta reportedly pushed a server-side change in November 2025. However, Project Zero has stated that this only partially addressed the problem. A more complete fix is still in progress.
In the meantime, users are advised to reduce their exposure — especially on Android.
How to secure WhatsApp right now
Until a full patch lands, the goal is simple: stop media from downloading automatically and limit who can pull you into group chats.
Disable automatic media downloads
This prevents files from quietly landing on your device the moment you’re added to a group.
- Open WhatsApp on your Android phone
- Tap the three-dot menu (top right) → Settings
- Go to Storage and data
- Under Media auto-download, tap:
- When using mobile data
- When connected on Wi-Fi
- When roaming
- For each option, uncheck Photos, Audio, Videos, and Documents, then tap OK
- Confirm each category now shows No media
This directly follows Project Zero’s recommendation and blocks silent downloads from hostile group chats.
Stop WhatsApp media appearing in your gallery
Even if some files still download, you can keep them contained inside WhatsApp’s sandbox.
- Go to Settings → Chats
- Turn off Media visibility (or “Show media in gallery”)
- For sensitive chats, open the chat → tap the contact or group name → set Media visibility to No for that thread
Keeping media out of shared storage reduces the chance of other apps or system components interacting with a malicious file.
Restrict who can add you to groups
This attack relies on being dragged into a group without consent. You can limit that.
- Go to Settings → Privacy → Groups
- Change the setting from Everyone to:
- My contacts, or better
- My contacts except… and exclude anyone you don’t fully trust
If you use WhatsApp for work, keep group creation tightly controlled and limited to known admins.
Enable two-step verification
It won’t stop this specific attack, but it does protect your account from takeover if something else goes wrong. It’s basic hygiene — and still skipped by far too many users.
Final thought
WhatsApp remains widely used, but convenience always comes at a cost. Until Meta finishes a full fix, tightening a few settings can significantly reduce your risk. It’s not about panic — it’s about not making life easy for attackers.
Quiet, boring security settings are usually the ones that save you.
And as always: keep the app updated. Every patch matters.
Leave a Reply