WhatsApp users are being urged to change a single privacy setting after researchers uncovered a serious hacking flaw that abuses group chats to plant malicious files on phones. The issue centers on how the app automatically downloads media, which can give attackers a quiet route to seize control of a device if the right protections are not in place. I am going to focus on what the bug does, why the automatic download feature is so risky, and how to lock your account down in a few taps.
The fix is not a complicated security overhaul or a specialist tool, it is a simple change inside WhatsApp’s settings menu that cuts off the easiest path for the exploit. With a recent vulnerability showing how quickly a fake group invite can turn into a full device compromise, the stakes for getting this right are high for anyone who keeps WhatsApp on their main phone.
How the WhatsApp group chat bug opened the door to hackers
The latest warning stems from a flaw in the way WhatsApp handles media files that arrive through group chats, especially when those groups are created or controlled by an attacker. Security researchers at Project Zero, part of Google, detailed how a specially crafted image, video, or document could be pushed into a newly created group chat and then silently downloaded to victims’ phones. Because WhatsApp is designed to make sharing photos and clips feel instant and seamless, the app will often fetch those files in the background before a user has even opened the conversation.
According to separate technical analysis, the same underlying issue allowed malicious media to spread through group chats in a kind of chain reaction, with one compromised file being forwarded into more groups and onto more devices. One report explained that Google’s internal security team flagged the problem and that Meta, which owns WhatsApp, pushed a server side change in November 2025 that only partially resolved the risk. That partial fix means the bug is harder to exploit at scale, but it does not remove the danger for users who leave the most permissive settings switched on.
The one setting experts say you should flip immediately
Security specialists are now converging on a single, practical recommendation, turn off automatic media downloads so that nothing is saved to your phone unless you explicitly tap it. The vulnerable path in this case is the feature that lets WhatsApp automatically pull down pictures, videos, audio, and documents from chats and groups, which is convenient but also hands attackers a way to drop code onto your device without any extra clicks. By forcing every file to stay on WhatsApp’s servers until you choose to download it, you dramatically shrink the window in which a malicious attachment can execute or be opened by accident.
Reports urging users to act spell this out in blunt terms, leaving auto download enabled means pictures, files, and other attachments can land on your handset without you realising, and that is exactly the behaviour the exploit relies on. One warning explained that this is why WhatsApp users are being told to change one setting after a hacking bug, because the vulnerability allowed automatic download of malicious files via fake group invites and similar tricks. Another advisory noted that Feb guidance from security commentators was explicit, anyone with WhatsApp on their phone should adjust this option immediately to avoid handing cybercriminals an easy route into their device.
How to change your WhatsApp media settings in seconds
Switching off automatic downloads is buried only a couple of taps deep in WhatsApp’s menus, but it is not always obvious if you have never touched the defaults. On Android, you open the app, tap the three dots in the top right, choose Settings, then Storage and data, and look for the sections that control media auto download on mobile data, Wi‑Fi, and roaming. On iPhone, you go to Settings inside WhatsApp, then Storage and Data, and untick the media types you do not want to download automatically, ideally all of them so that every file requires a manual tap.
WhatsApp’s own help pages explain how media download behaviour works and how to adjust it, including the difference between content that is saved to your phone and content that stays inside the app. The official FAQ notes that users can choose whether photos, audio, videos, and documents are fetched automatically on different types of connections, which is exactly the control security experts now want people to tighten. By setting each category to “No media” for automatic download, you ensure that even if a malicious file is pushed into a group you never meant to join, it will not be silently written to your storage.
What Google’s Project Zero found and why Meta’s fix is not enough
The deeper concern behind the current wave of warnings is what the bug reveals about how messaging apps handle untrusted content. Google’s internal security team, known as Project Zero, specialises in finding exactly this kind of flaw, where a crafted file can trigger unexpected behaviour in the way an app parses or stores data. In this case, the researchers showed that a malicious media file sent into a newly created group chat could be enough to compromise devices that accepted the invite and left default settings untouched, even if the victims never actively engaged with the content.
After Project Zero disclosed the issue, Meta responded with a server side change that reportedly reduced the exploitability of the bug, but analysis from independent researchers suggests that the mitigation is only partial. One technical breakdown noted that Meta’s adjustment on its servers limited some of the most dangerous behaviours but did not fully close off the path that lets malicious media spread through group chats. Another report on the same vulnerability highlighted that Users of WhatsApp would be wise to assume that attackers will keep probing for ways around partial fixes, and that changing local settings is the only control they fully own.
Why this matters even if you think you are careful in chats
Many people assume they are safe because they only open messages from friends and family, but the exploit described by researchers does not rely on you tapping a suspicious link or accepting a contact request from a stranger. Instead, it abuses the way group chats can be created and populated, sometimes using spoofed or compromised accounts to make an invite look harmless. Once you are in, the automatic download feature does the rest, quietly pulling down whatever media is sent, which is why experts are stressing that this is not about being more vigilant, it is about changing how the app behaves by default.
Warnings issued in early Feb made clear that the risk is not theoretical, attackers can use malicious files delivered through group chats to seize control of the device itself. That means access to messages, photos, and potentially other apps and data on the phone, depending on how the exploit chain is built. Even if Meta continues to harden its servers and patch the app, the most reliable way for ordinary users to cut off this avenue is to disable automatic media downloads and treat every unexpected file, even in a familiar group, as something that should be tapped only if it is clearly trusted.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
