A WhatsApp bug lets malicious media files spread through group chats, disclosed by Google’s Project Zero. The vulnerability affects WhatsApp on Android and involves zero-click media downloads in group chats, meaning you can be attacked simply by being added to a group and having a malicious file sent to you.
According to Project Zero, the attack is most likely to be used in targeted campaigns, since the attacker needs to know or guess at least one contact, though it is relatively easy to repeat once a target list exists. Meta pushed a server change on 11 November 2025, but Google says that only partially resolved the issue, and Meta is working on a comprehensive fix.
The article also offers practical steps to reduce risk, such as disabling Automatic Download, enabling Advanced Privacy Mode, turning off media visibility, restricting who can add you to groups, and setting up two-step verification on your WhatsApp account.