Malware without a click Attacks on WhatsApp group chats - how to protect yourself
A previously underestimated function in WhatsApp can be used to get malware onto your cell phone. Often you don't even notice the attack, which is why you should be well prepared.
No time? blue News summarizes for you
- Attackers can place malware on smartphones via WhatsApp groups without users noticing or actively agreeing to it.
- Google considers the patch published by Meta to be insufficient, so the security gap is not yet fully closed.
- For the time being, users can only reduce the risk themselves, for example by switching off automatic downloads and restricting group memberships.
What at first sounds like a theoretical security risk is becoming a real problem for more and more WhatsApp users. Specifically, it concerns a standard function with which the messenger automatically downloads content. A convenience feature that cyber criminals have recently been exploiting.
The attack method was discovered by Google's Project Zero security team, as reported by IT security company Malwarebytes, among others. The core of the problem is that attackers only need a victim's telephone number. They then add this number to a WhatsApp group and send a manipulated file there.
The default settings of the messenger automatically download this file to the smartphone. Unlike classic phishing attacks, no click is required. The malicious code is therefore already on the device before the user has to click on anything.
The start of an avalanche
The malware is not executed immediately. But security researchers warn against underestimating this hurdle. In many cases, targeted social manipulation, such as a phone call or a message, is enough to get the user to open the file. Once this has happened, the malware can read out sensitive data, load additional programs or completely compromise the device.
The special feature of the attack lies less in its technical sophistication than in its invisibility. "Zero-click"-like scenarios are considered particularly critical because they circumvent existing protection mechanisms and the security awareness of users.
Disagreement over the solution
Meta, the parent company of WhatsApp, says it has already released an update to fix the vulnerability. Google has a more nuanced view. According to Project Zero, the patch only partially addresses the problem. Certain attack scenarios are still possible, which is why Meta is apparently working on a more far-reaching solution.
This discrepancy shows a structural problem of modern IT security: even after a vulnerability has been made public, it often remains unclear whether and when it will be completely closed, especially in applications with billions of users and complex functions.
What users can do now
As long as there is no clearly confirmed, complete technical solution, prevention remains crucial. WhatsApp offers several settings that can significantly reduce the risk.
Switch off auto-download on WhatsApp
- Open WhatsApp.
- Open the settings.
- Tap on Storage and data.
- Under "Auto-download media", set all data types to Never.
Restriction of group membership
- Tap Privacy in the WhatsApp settings.
- Tap on Groups.
- Set who can add you to groups. Instead of the default setting "All", select "My contacts" or "My contacts except..." and mark all contacts you don't trust.
