A security vulnerability affecting WhatsApp on Android has been made public by Google’s Project Zero team after Meta failed to fully fix the issue within the standard 90-day deadline. The flaw could allow attackers to deliver malicious media files to a user’s phone without any interaction, which makes it a serious concern for Android users.
The vulnerability was disclosed by Brendon Tiszka from Google Project Zero. According to the public report, an attacker can create a WhatsApp group, add a target user and one of the target’s contacts, and then promote that contact to admin. The attacker can then send a specially crafted media file to the group. Due to WhatsApp’s automatic media download behavior, the file can be downloaded silently to the victim’s device.
The downloaded media file is saved in Android’s MediaStore database. If the file is designed to escape this environment, it could act as an exploit and potentially carry out harmful actions without the user opening or interacting with the file. This makes the attack largely interaction-free, which increases its risk.
Google Project Zero privately reported the issue to Meta on September 1, 2025. As per its disclosure policy, Meta was given 90 days to release a full fix. However, no complete patch was issued by the November 30 deadline. As a result, the vulnerability was made public. On December 4, Tiszka confirmed that Meta had rolled out a partial server-side fix, but the underlying issue has not been fully resolved yet. The bug remains open as of now.
There are some limitations to the attack. The attacker needs to know or guess the phone numbers of both the victim and one of their contacts. The malicious media file also needs to be technically advanced to cause real damage. This makes large-scale attacks less likely, but targeted attacks are still possible.
Android users can reduce their risk by changing a few settings. Enabling Advanced chat privacy in WhatsApp group settings prevents automatic media downloads. Users can also turn off media auto-download by going to Settings, then Storage and data, and disabling automatic downloads for photos, videos, and documents. These steps can block the exploit path entirely.
The issue appears to affect only WhatsApp on Android. Other platforms have not been mentioned as vulnerable in the Project Zero report. The disclosure once again highlights how media handling remains an attractive attack surface for malicious actors. Meta had acknowledged a similar attachment-related vulnerability in WhatsApp last year.
