Meta patched two WhatsApp flaws affecting iOS, Android, and Windows users, including bugs tied to risky files, links, and Reels previews.
The post New WhatsApp Flaws Could Affect Billions of Users After Meta Security Patch appeared first on TechRepublic.
Meta has published a new security advisory for messaging app WhatsApp, announcing patches for two vulnerabilities.
WhatsApp has fixed two security flaws that could be abused to interfere with how media and attachments are handled on your device. There is no evidence that either bug has been exploited in the wild.
These bugs don’t automatically infect devices, but they lower the barrier for social engineering and could be chained with other vulnerabilities for more serious attacks.
The first issue, tracked as CVE‑2026‑23866, affects how WhatsApp processes AI‑generated “rich response messages” that embed Instagram Reels. On affected iOS and Android versions, incomplete validation means a specially crafted message could cause the app to load media from an attacker‑controlled URL. In some cases, this could trigger operating system‑level custom URL scheme handlers.
In other words: a booby‑trapped message could prompt your device to open content from an untrusted source.
You can easily update WhatsApp from the Google Play Store.
Note: Updates may not be available immediately in all regions.
To update WhatsApp on iOS:
If it’s not listed, search for WhatsApp to check if an “Update” button is available.
The second bug, CVE‑2026‑23863, affects WhatsApp for Windows before version 2.3000.1032164386.258709.
In this case, WhatsApp did not correctly handle filenames containing embedded NUL bytes. This could allow a file to appear as a harmless type in the interface while actually being treated as an executable when opened. That’s a classic recipe for social engineering: “click the PDF,” but get an .exe file.
You can find your WhatsApp for Windows version number by clicking on your profile picture and selecting Help and feedback.
If your version number is earlier than 2.3000.1032164386.258709, update via the Microsoft Store:
Once installed, restart the app to apply the changes.
My WhatsApp was already up to date because I have automatic updates turned on. Here’s how to turn it on:
Scammers don’t need to hack you. They just need you to click once.
Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.
WhatsApp has recently patched two notable security vulnerabilities that could have allowed attackers to execute malicious links and disguise dangerous files. The most alarming discovery involves a flaw in how WhatsApp processes Instagram Reels. This vulnerability allows remote threat actors to trigger arbitrary URLs on a victim’s device by exploiting unvalidated message elements. Meta’s latest […]
The post WhatsApp Security Flaw Enables Malicious URL Execution Through Instagram Reels appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
An FTC report says that Americans last year lost $2.1 billion in social media scams, such as shopping and investment schemes. Social media site have become the place where most of these scams start, and more than half of that money was stolen in scams began on Facebook, WhatsApp, and Instagram.
The post U.S. Consumers Lost $2.1 Billion in Social Media Scams in 2025, FTC Says appeared first on Security Boulevard.
A US agent claimed WhatsApp encryption is fake, alleging Meta accesses all unencrypted messages, but Commerce Department abruptly shut the probe, leaving leaders questioning if consumer apps are safe for sensitive business decisions.
In early 2026, a remarkable exchange unfolded inside the U.S. Commerce Department that has since sparked debate across cybersecurity, privacy, and corporate governance circles. A special agent from the Bureau of Industry and Security (BIS) sent an email asserting something astonishing: Meta’s WhatsApp, despite its public claims of end-to-end encryption, allows the company to access and store all user messages, including texts, photos, audio, and video, in unencrypted form. Just months later, the investigation was abruptly terminated.
“After roughly 10 months of collecting documents and conducting interviews, the agent circulated a Jan. 16 email to more than a dozen officials across federal agencies outlining preliminary conclusions.” reported TechSpot. “According to records reviewed by Bloomberg and corroborated by recipients, the agent asserted that Meta’s systems allow access to message content in ways that conflict with how WhatsApp’s encryption has been publicly described.”
After a 10-month probe internally dubbed “Operation Sourced Encryption,” the BIS agent circulated a January 16 email to over a dozen federal officials.
“There is no limit to the type of WhatsApp message that can be viewed by Meta. Meta can and does view and store all the text messages, photographs, audio and video recordings in an unencrypted format.” reads the email the agent wrote.
The email also described a “tiered permissions system” in place since at least 2019, granting access not only to Meta employees but also to contractors and “a significant number of foreign/overseas workers in India.”
The email also suggested the conduct could involve “civil and criminal violations that span several federal jurisdictions,” though he did not specify which laws. Importantly, this was not a formal accusation, it was a preliminary conclusion from an internal investigation that would soon be scrubbed from existence.
However Shortly after the email circulated, senior leadership at BIS shut down the inquiry.
“The [agency] is not investigating WhatsApp or Meta for violations of export laws,” said a spokesperson for the agency, Lauren Weber Holley.
Meta strongly denied the claims.
Meta says that only chat participants can read or hear messages on WhatsApp—not even the company itself. It has also defended this stance in court, including a 2021 case against India’s traceability rules.
Not everyone agrees with the agent’s claims. Former Meta security chief Alex Stamos said they are “almost certainly false.” He noted that any backdoor would have to exist in widely inspected app code, making it easy for researchers to find. He also argued Meta wouldn’t share such powerful access with contractors.
“A widespread backdoor would be easily found by security researchers,” Stamos said. “Also, a backdoor in WhatsApp would be a massive signals intelligence tool. There’s no way Meta would provide that capability to Accenture contractors if they had it.” said Stamos.
Still, two individuals interviewed by the agent claimed broad access to WhatsApp messages while performing content moderation work under contract with Accenture, which did not respond to comment requests.
The investigation’s closure leaves key questions unanswered, including what evidence was found and whether WhatsApp’s encryption will be further examined, keeping uncertainty high.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, WhatsApp)
WhatsApp is currently developing an independent cloud backup system designed to give users more direct control over their chat histories.
This upcoming feature will allow users to store their backups securely on WhatsApp’s native servers.
The update aims to reduce reliance on third-party cloud services like Google Drive and Apple’s iCloud while enforcing strict cryptographic standards.
As users share more high-resolution media, WhatsApp chat backups frequently consume significant portions of personal cloud storage.
Currently, Android and iOS users must store their backups on their respective default cloud providers.
This setup forces users to share their limited storage space across emails, device backups, and heavy WhatsApp data files.
Once a user reaches their storage limit, they must either delete files or purchase additional space from Google or Apple.
To address this data bottleneck, WhatsApp is building a dual-provider system.
Users will soon have the flexibility to stick with their current third-party service or switch to WhatsApp’s dedicated backup platform.
Key details regarding the new storage ecosystem include:
Security remains the central focus of this independent storage system. If a user selects WhatsApp’s native cloud for backups, end-to-end encryption becomes mandatory for all data stored in the cloud.
This ensures that chat histories remain completely inaccessible to unauthorized parties, threat actors, and even WhatsApp itself.
To make this encryption both highly secure and user-friendly, WhatsApp is integrating device-based authentication.
According to WABetaInfo, users will have three options to secure their backup data:
Passkeys represent a major security upgrade for average users.
Because they are securely stored in a password manager and tied to trusted devices, they eliminate the risk of forgotten passwords while protecting against remote phishing attacks.
The WhatsApp Chat Backup Provider is currently under active development.
Engineers are rigorously testing the feature to ensure it integrates seamlessly with existing security frameworks.
Following internal validation, the feature will gradually roll out to select beta testers before receiving a wider public launch.
This capability marks a significant shift in how the platform handles user data, optimizing backup management while reinforcing mobile security.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post WhatsApp Testing Own Cloud Backup Provider for Default End-to-End Encryption appeared first on Cyber Security News.
WhatsApp is actively developing an independent, first-party cloud backup service featuring mandatory end-to-end encryption. This upcoming feature aims to reduce users’ reliance on third-party storage providers such as Google Drive and Apple’s iCloud. By bringing backup storage in-house, WhatsApp gives users greater control over their data privacy and device storage limits. All chat histories hosted […]
The post WhatsApp Tests Encrypted Cloud Backup Service for Safer Message Storage appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Scammers dressed up like Catholic Charities and legitimate pro bone legal services on social media platforms are targeting immigrants and bilking them for money. Manhattan DA Alvin Bragg is pressing Meta to follow its own terms and shut them down.
The post Manhattan DA Bragg Pushes Meta to Put a Stop to Immigration Scams appeared first on Security Boulevard.
A surge of targeted cyberattacks was detected against local governments and municipal healthcare institutions particularly clinical and ambulance hospitals. The campaign has been attributed to threat cluster UAC-0247, known for advanced data theft, persistence, and lateral movement methods. The attack chain begins with well-crafted phishing emails that appear to discuss humanitarian aid proposals. These emails typically […]
The post UAC-0247 Hits Hospitals, Governments With Browser and WhatsApp Data Theft appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
WhatsApp is testing usernames that could let users chat without sharing phone numbers, adding a new privacy layer now rolling out to some beta users.
The post WhatsApp New Update Lets You Chat Without Sharing Your Phone Number appeared first on TechRepublic.
A list of topics we covered in the week of March 30 to April 5 of 2026
The post A week in security (March 30 – April 5) appeared first on Security Boulevard.
Last week on Malwarebytes Labs:
Stay safe!
We don’t just report on data privacy—we help you remove your personal information
Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.
WhatsApp has recently uncovered a malicious fake version of its app that targeted roughly 200 users, most of whom are in Italy. The platform confirmed that the unofficial client contained spyware and was developed by Italian firm Asigint, a subsidiary of SIO Spa, a company known for providing surveillance tools to law enforcement and government agencies.
“Our security team identified around 200 users, mostly in Italy, who we believe may have downloaded this unofficial and harmful client. We logged them out and alerted them to the privacy and security risks,” WhatsApp stated. “We believe this was a social engineering attempt targeting a limited number of users with the goal of inducing them to install harmful software impersonating WhatsApp, likely to gain access to their devices. Today, WhatsApp has taken action against Asigint, an Italian spyware company controlled by Sio Spa that created a fake version of WhatsApp. We believe the individuals behind this malicious client used social engineering techniques to trick people into downloading an unofficial and harmful app disguised as WhatsApp,” the Meta Group company said in a statement, adding that it intends to “send a formal legal notice to this spyware company to cease all harmful activity.”
The affected users were promptly logged out and notified of the potential risks to their privacy and security. WhatsApp advised them to remove the fake app and reinstall the official version, emphasizing that the incident did not involve a vulnerability in WhatsApp itself; the end-to-end encryption of legitimate apps remains intact.
According to WhatsApp, the attackers relied on social engineering techniques, tricking users into installing the counterfeit app, which was not available on official digital stores like the Apple App Store or Google Play. The approach suggests a highly targeted campaign, likely part of a broader investigation, rather than a mass-distribution attack.
“It is important to clarify that this was not a vulnerability in WhatsApp; end-to-end encryption continues to protect the communications of people using the official WhatsApp apps,” the Meta Group platform stated, as reported by the Italian press agency ANSA. “We believe the individuals behind this malicious client used social engineering techniques to convince people to download an unofficial and harmful app, passing it off as WhatsApp, likely to gain access to their devices. We intend to send a formal legal notice to this spyware company to cease any harmful activity.”
SIO, through Asigint, has a long history in the development of government-grade spyware. In a 2025 TechCrunch report, SIO was linked to Spyrtacus, a series of malicious Android apps that disguised themselves as WhatsApp and other popular applications. Spyrtacus allowed attackers to extract sensitive data from devices, including messages, contact lists, and call logs, as well as monitor users through microphones and cameras.
A WhatsApp spokesperson explained that the company plans to issue a formal legal demand to Asigint, requesting that the company cease all malicious activities. The platform stressed that holding spyware developers accountable under law is a crucial part of protecting users from targeted attacks. WhatsApp has previously achieved a precedent-setting outcome by holding a commercial spyware firm responsible under U.S. law for attempting to spy on users’ mobile devices.
The incident highlights a broader trend in digital surveillance: using fake apps as a tool for spying. Cybersecurity experts note that such tactics are common in operations targeting individuals for intelligence or law enforcement purposes.
“The fake WhatsApp campaign demonstrates the sophistication of modern social engineering techniques, where attackers exploit users’ trust in popular software to gain access to sensitive devices,” I told ANSA.
SIO describes itself as a team of software developers and architects leveraging advanced technologies to redefine human-computer interaction. According to its website, the company collaborates closely with law enforcement, government organizations, and intelligence agencies, boasting more than 30 years of experience in the sector. The fake WhatsApp case underlines how firms that operate in the intelligence space can inadvertently, or deliberately, target private users in ways that raise ethical and legal questions.
While the full scope of the attack remains unclear, the proactive response by WhatsApp underscores the importance of vigilance. Users are strongly encouraged to only download official applications and remain alert to suspicious links or prompts, especially when dealing with messaging or banking apps.
This case also demonstrates the evolving challenges of digital security in Italy and globally, where spyware developers increasingly use counterfeit applications to bypass traditional defenses and exploit user trust. Even though most affected individuals were Italian, the lessons extend to anyone using widely trusted apps. Awareness and timely updates are essential defenses against such targeted threats.
In conclusion, the WhatsApp-Asigint incident is a reminder of the ongoing arms race between privacy-focused platforms and surveillance-focused actors. While end-to-end encryption protects users of legitimate apps, attackers will continue to explore indirect methods, such as fake apps, to circumvent safeguards. Vigilance, legal accountability, and prompt user education remain the most effective tools for mitigating these sophisticated threats.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, WhatsApp)
In a Public Service Announcement (PSA) the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warn the public about ongoing Russian-linked phishing campaigns that aim to gain access to messaging accounts.
Earlier this month we wrote about a large‑scale phishing campaign aimed at hijacking Signal and WhatsApp accounts belonging to senior officials, military personnel, civil servants, and journalists.
Now the FBI and CISA have joined European intelligence services in warning that the same tactics are being used in a broader campaign targeting these commercial messaging apps. The goal is not to break end‑to‑end encryption, but to walk straight around it by stealing access to individual accounts.
In our previous article, we focused on warnings from the Dutch intelligence services AIVD and MIVD, which described how Russian state‑backed actors approached high‑value targets via Signal and WhatsApp, posing as “Signal Support”, “Signal Security Bot”, or similar. The PSA demonstrates how the same groups are now running global phishing campaigns against messaging app accounts, with evidence suggesting thousands of compromised accounts worldwide.
It’s important to reiterate that the attackers have not managed to break the apps’ end-to-end encryption. Instead, they are relying on social engineering to get a device added so they can eavesdrop on accounts.
The current targets include current and former US government officials, military staff, political figures, and journalists, but there is nothing to stop the same techniques being reused against businesses and everyday users.
So, while it’s tempting to dismiss this as a problem for diplomats and generals (and the agencies issuing these alerts do mention high‑profile targets first), the techniques scale very easily. Once playbooks like these are public, they tend to be copied by cybercriminals looking for new ways to steal money or accounts.
As the PSA puts it:
“Phishing remains one of the most unsophisticated, yet effective means of cyber compromise, often rendering other protections irrelevant”
This calls asks for basic security measures:
If you suspect an attacker has taken over your messaging account:
The sooner you act, the smaller the window in which attackers can exploit your account.
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.
Entrar