Security experts issue urgent WhatsApp update over new ‘spoofing’ hack

WhatsApp issues an urgent update over a major security flaw.

Only last month, WhatsApp users were advised to urgently update the app due to a glitch that allows their private photos to remain visible. The popular messaging app also announced earlier this week that some older smartphones will soon no longer be able to run WhatsApp due to changes in its compatibility.

Now, a newly discovered 'spoofing issue' reportedly allows cybercriminals to carry out an attack through a media attachment. According to an alert issued by WhatsApp’s parent company Meta, the software vulnerability means hackers can gain remote access to a user’s device through a shared image or file.

The software vulnerability means hackers can gain remote access to a user’s device through a shared file / Westend61 / Getty

So far, it seems only the Windows Desktop version of WhatsApp is affected.

“A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp,” the security advisory stated.

Meta hasn’t confirmed if anyone has actually fallen victim to the attack yet. But, the flaw has led to security experts warning WhatsApp users to be cautious of any images they receive - this goes especially for group chats.

“Most people will be part of a WhatsApp group where it is common for images to be shared and this is where this vulnerability becomes dangerous,” said Adam Pilton, a senior cybersecurity consultant at CyberSmart. “If a cyber criminal was able to share this image either in your group or with someone you trust who then goes on to share it in your group, anybody in that group could unknowingly execute the malicious code associated with the shared image."

Meta hasn’t confirmed if anyone has fallen victim to the cyber attack / NurPhoto / Contributor / Getty

This bug was flagged through Meta’s bug bounty program, which rewards people for spotting security loopholes. Moreover, it's part of a worryingly rising trend of malware disguised as harmless attachments.

A recent report from cyber security firm SonicWall revealed that there was a large spike in this kind of sneaky malware in 2024.

SonicWall recorded 210,258 never-before-seen malware variants - which equates to around 637 threats every day.

“Cybercriminals are constantly developing new tactics, techniques, and procedures (TTPs) to exploit vulnerabilities and bypass security controls, and companies must be able to quickly adapt and respond to these threats,” added Spencer Starkey, an executive vice president at SonicWall. “Due to the speed at which new attacks are being created, they are more adaptive, and difficult to detect, which poses an additional challenge for cybersecurity professionals.”