WhatsApp is, by far, the biggest online communication platform out there. Its robust set of capabilities, ad-free interface not only make it an ideal candidate for personal use, but even work-related communication in some organizations. This also means that it is a lucrative attack vector for malicious actors. Now, the Google Project Zero team has made a vulnerability in WhatsApp Android public after Meta failed to properly patch it within the allotted 90 days.
In a ticket in its public issue tracker, Brendon Tiszka of the Google Project Zero team has talked about how an attacker who creates a WhatsApp group can add their potential victim and a contact of the victim to it. Then, they can make the victim"s contact an admin of the group, and send malicious media content that will get automatically downloaded on the victim"s device without any interaction from their side. This media file will get downloaded to the MediaStore database, and if it has the capabilities to escape that environment, it will essentially be an exploit that is able to target victims in an interactionless manner.
While all of this sounds pretty scary, there are some caveats to keep in mind. The exploit requires knowing or guessing the phone numbers of the victim and their contact. While procuring this might not be very difficult in today"s era, a sucessful exploit would also require the malicious media file to be sophisticated enough to perform harmful activities after reaching the database. Finally, if you enable Advanced chat privacy in WhatsApp or disable automatic downloading of media, any malicious file will not be downloaded automatically, making you safe by default.
Google Project Zero reported this vulnerability privately to Meta on September 1, 2025, giving the firm the standard 90 days to fix the issue before it was made public. Following Meta"s failure to issue a fix by November 30, 2025, the vulnerability was made public. On December 4, Tiszka confirmed that while Meta had issued a partial server-side fix to plug this security hole, a complete fix is still in the works. The ticket has not been updated with new communications since then, which would indicate that this bug is still open.
Tiszka"s ticket has only talked about WhatsApp Android being vulnerable in this way, so we can assume that other platforms should be safe. If you"re on Android, turn on Advanced chat privacy in a group chat by navigating to it, pressing on the three-dots icon, tapping on Group info and toggling on Advanced chat privacy. However, you can still be vulnerable in scenarios where you"ve already been added to a group without your knowledge and the attack is in progress. So it"s also better to disable automatic media download by navigating to Settings > Storage and data > Media auto-download. We have reached out to Google Project Zero and Meta for more details on this topic.
Keep in mind that an attachment-related vulnerability in WhatsApp was also acknowledged by Meta last year, so it"s evident that this is an attractive attack surface for malicious actors.