A simple phishing attack through an Android messaging application could result in the direct leakage of data found in External Storage (/sdcard). Facebook-owned WhatsApp recently addressed two security vulnerabilities in its messaging app for Android that could have been exploited to execute malicious code remotely on the device and even exfiltrate sensitive information.

The flaws take aim at devices running Android versions up to and including Android 9 by carrying out what’s known as a “man-in-the-disk” attack that makes it possible for adversaries to compromise an app by manipulating certain data being exchanged between it and the external storage.

A few months ago, WhatsApp asked users to agree to let Facebook and its subsidiaries collect user data, including their phone number and location. In addition, WhatsApp brought in three updates — how the app processes your data; how businesses can use Facebook hosted services to store and manage their WhatsApp chats, and there integration of Facebook’s other products with WhatsApp.

Key Points:

  • Whatever information WhatsApp automatically collects from you will be shared with Facebook. This includes your mobile phone number and basic information you give when you create a WhatsApp account.
  • It also collects device-level information like what device you use, your mobile network, IP address, among others. It also collects and uses precise location information from your device, but with your permission.
  • WhatsApp has reiterated that all messages are end-to-end encrypted. This means that neither WhatsApp, not third parties will access or read your messages.

For detail info read the recent policy here.