February 3, 2026

Group chats, group traps

Article URL →HN comments →

A WhatsApp bug lets malicious media files spread through group chats

Added to a group and boom—bad files auto‑download; users roast Meta and the messaging wars ignite

TLDR: A WhatsApp Android bug can auto‑download malicious media when you’re added to a group; Meta’s fix is only partial, so turn off auto‑download. Comments split between calling the coverage sloppy and brushing it off as data waste, while privacy hawks point to a lawsuit and accuse Meta of eroding trust.

WhatsApp’s latest headache: a bug on Android lets a malicious photo, video, or document auto‑download the moment you’re added to a new group—no taps needed. Google’s Project Zero sounded the alarm, Meta says a server-side tweak helped but a full fix is still coming. In the meantime, the official advice is simple: turn off media auto‑download or switch on Advanced Privacy Mode. It’s likely a targeted attack, but repeatable once someone knows your contacts. Cue panic, eye‑rolls, and the eternal “just move to Signal” chant.

The comments hit DEFCON Drama. jeroenhd blasts the write‑up as “awful reporting,” fuming there’s no direct Project Zero link and dragging a Forbes piece for interviewing a rival app. charcircuit shrugs: “So… your data plan gets nuked?”—which sparks clapbacks about real‑world risks. j45 derails delightfully with a new word, “Prolificity,” turning the thread into a mini‑meme. Privacy hawks pile on with the fresh lawsuit alleging Meta can peek at WhatsApp data (court filing), yelling “E2EE theater!” Meanwhile, iPhone users smirk, Android fans push back, and everyone agrees on one thing: Auto‑download is out; manual is in.

Key Points

  • A WhatsApp for Android flaw allows malicious media sent to newly created group chats to auto-download and be used as an attack vector.
  • The attack is zero‑click: users can be targeted simply by being added to a group and receiving a malicious file.
  • Project Zero says the method is likely used in targeted campaigns, requiring knowledge of at least one contact.
  • Meta reportedly deployed a partial server-side mitigation on Nov 11, 2025; a comprehensive fix is in progress.
  • Google advises disabling media auto-download or enabling Advanced Privacy Mode, and keeping WhatsApp/Android updated.

Hottest takes

"Awful reporting… Was there a human involved in publishing this page?" — jeroenhd
"What is the actual implication of the attack. That your mobile data might be wasted?" — charcircuit
"Prolificity (ooh, invented word?)" — j45

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.