Cybersecurity researchers at Google Project Zero and Citizen Lab have jointly disclosed a critical zero-click vulnerability affecting both WhatsApp and Telegram, two of the world's most widely used messaging platforms. Unlike traditional phishing attacks that require users to click a malicious link, this vulnerability can compromise a device simply by receiving a specially crafted media file — no interaction required whatsoever.
How the Zero-Click Attack Works
The attack exploits a memory corruption vulnerability in the image and video rendering libraries used by both applications. When a malicious file is received, the app automatically generates a preview thumbnail — a process that triggers the exploit before the user even sees the message. The attacker gains remote code execution capabilities, meaning they can run any code on the victim's device with the same permissions as the messaging app itself.
In practice, this means an attacker can silently read all messages, access the device camera and microphone, steal stored files and photos, install persistent malware that survives app reinstallation, and even access other apps on the device if the exploit is chained with a privilege escalation vulnerability. The attack leaves minimal forensic traces, making detection extremely difficult even for sophisticated security teams.
Scale of the Threat
WhatsApp has over 2.7 billion users globally, with India being its largest market at over 500 million users. Telegram has approximately 900 million users worldwide. The combined attack surface represents nearly half of the world's smartphone users. Security researchers estimate that the vulnerability has been actively exploited for at least six months before its public disclosure, meaning millions of devices may already be compromised.
The vulnerability is particularly dangerous because it affects both iOS and Android versions of both apps. There is no safe version to fall back to — all users running versions prior to the emergency patches are potentially vulnerable. Nation-state actors, criminal organizations, and commercial spyware vendors are all believed to have been aware of and exploiting this vulnerability.
Who Is Being Targeted
Forensic analysis of known exploitation cases reveals a pattern of targeting that includes journalists, human rights activists, political opposition figures, corporate executives, and government officials. The Citizen Lab has documented cases in 45 countries where the vulnerability was used to surveil individuals of interest to government intelligence agencies. However, criminal groups are also using the exploit for financial fraud, targeting bank employees and cryptocurrency traders.
In India specifically, the Computer Emergency Response Team (CERT-In) has issued an emergency advisory warning that the vulnerability is being actively exploited. Several high-profile cases of corporate espionage have been linked to this attack vector, with attackers gaining access to sensitive business communications and financial data.
Emergency Patches Released
Both WhatsApp and Telegram have released emergency patches addressing the vulnerability. WhatsApp version 2.25.8.15 and Telegram version 10.14.5 contain the fixes. Users must update immediately — the patches were pushed as high-priority updates and should appear automatically on most devices, but manual verification is strongly recommended.
The patches work by implementing additional validation checks on incoming media files before they are processed by the rendering engine. This adds a small performance overhead but eliminates the attack vector entirely. Both companies have also implemented server-side filtering to block known malicious file signatures, providing an additional layer of protection even for users who have not yet updated.
How to Protect Yourself
The most critical step is to update both apps immediately to their latest versions. Beyond patching, security experts recommend disabling automatic media download in both apps — this prevents malicious files from being processed without your knowledge. In WhatsApp, go to Settings, Storage and Data, and disable automatic download for photos, audio, and video on all network types. In Telegram, go to Settings, Data and Storage, and configure similar restrictions.
Enable two-factor authentication on both platforms if you have not already done so. This will not prevent the zero-click exploit itself, but it will prevent attackers from taking over your account even if they gain access to your device. Regularly review the list of active sessions in both apps and terminate any sessions you do not recognize.
Broader Implications for Messaging Security
This vulnerability highlights a fundamental tension in modern messaging app design: the desire to provide rich, seamless media experiences conflicts with the security imperative to minimize attack surface. Every feature that automatically processes incoming content — thumbnail generation, link previews, contact card rendering — represents a potential attack vector that sophisticated adversaries will probe for weaknesses.
Security researchers are calling for messaging platforms to adopt a more conservative approach to automatic content processing, particularly for messages from unknown senders. Some are advocating for a safe mode option that disables all automatic processing and requires explicit user confirmation before any incoming content is rendered. The tradeoff in user experience may be worth the significant security improvement.
