• Google uncovers critical WhatsApp vulnerability on Android
• Users advised to disable automatic media downloads to avoid attacks

Google’s Project Zero team has uncovered a serious security vulnerability in WhatsApp on Android that opens up a potential “attack surface” that could be exploited by hackers.

The flaw is triggered when a victim and one of their contacts are added to a newly created WhatsApp group.

An attacker then promotes that contact to group admin and sends malicious images to the group, which may be automatically downloaded to the victim’s phone—effectively paving the way for an attack.

Google said Meta is currently working on a fix, noting that a server-side change introduced on November 11, 2025, partially addressed the issue, while a comprehensive solution is still in development.

The company advised users to disable automatic media downloads or enable WhatsApp’s Advanced Privacy Mode to prevent files from being downloaded without consent.

Security experts explained that this type of attack is likely to be targeted, as it requires the attacker to know at least one of the victim’s contacts, making it less severe than attacks that allow full access to contact lists.

However, Project Zero warned that attackers could attempt the exploit repeatedly in quick succession, and that guessing contacts may be relatively easy in targeted attacks.

The vulnerability report was submitted to Meta on September 1, 2025, under standard disclosure rules that grant companies 90 days to fix issues before public release. After Meta failed to issue a fix by November 30, the vulnerability was disclosed publicly.

Experts stress that disabling automatic media downloads remains a critical safety measure even after a fix is rolled out, advising users not to download files unless they are confident about the sender’s identity and the file’s origin.