Though WhatsApp and Telegram tout themselves as secure messaging services, faulty developer coding that allows cyberattackers to intercept media files sent on the Android versions of the services (like photos and videos, documents and voice memos) undercuts that claim.
The security weakness, dubbed Media File Jacking, is a variant of the “man in the disk” flaw revealed by Check Point at DEFCON last year. It arises from the fact that Android’s OS makes use of two types of storage – internal storage which provides every app with its own sandbox and is not accessible by other apps; and an external storage mechanism that uses a removable SD card. This latter storage is shared across the OS, because it’s designed to enable apps to transfer data from one app to another. So, if a user takes a picture and then wants to send it to someone using a messaging app, the external storage is the platform that allows this to happen.