WhatsApp Security Flaw Allows Malicious Files to Spread Through Group Chats
Malwarebytes highlights critical WhatsApp bug allowing malicious files to auto-download in group chats.
A critical vulnerability in WhatsApp for Android allows attackers to send malicious media files through group chats, with the files automatically downloading to victims' devices without any user interaction required.
Google's Project Zero security team disclosed the bug on 27 January 2026, revealing that users can be compromised simply by being added to a group chat where a malicious file is sent. The zero-click exploit requires no action from the victim beyond being present in the group.
The vulnerability works by exploiting WhatsApp's automatic media download feature in newly created group chats. Once an attacker adds a target and one of their contacts to a new group, malicious files sent to that group download automatically to participants' devices.
While the attack requires the attacker to know or guess at least one of the victim's contacts, Google notes it can be easily repeated once a target list is established, making it particularly dangerous for focused campaigns.
Meta reportedly pushed a server-side fix on 11 November 2025, but Google says this only partially resolved the issue. The company continues working on a comprehensive solution.
An international group of plaintiffs has also sued Meta Platforms, alleging the WhatsApp owner can store, analyse, and access users' private communications despite WhatsApp's end-to-end encryption claims.
How to Protect Yourself
Google advises WhatsApp users to disable automatic media downloads immediately. This prevents malicious files from silently landing on your device when added to hostile groups.
To disable auto-download on Android, open WhatsApp settings, navigate to Storage and Data, then under Media Auto-Download, uncheck all media types (Photos, Audio, Videos, Documents) for mobile data, Wi-Fi, and roaming connections.
Users should also restrict who can add them to groups by changing group privacy settings to "My contacts" or "My contacts except", preventing unknown numbers from adding you to potentially malicious groups.
Additional security measures include disabling media visibility in the gallery to keep downloaded content sandboxed within WhatsApp, and enabling two-step verification on your account.
Keep WhatsApp updated to receive the latest security patches as Meta continues working on a complete fix.
