/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow Us/dq/media/media_files/2025/04/23/RhKmovSeTSApq70WPewN.jpg)
Cyber scams are becoming trickier by the day and now, criminals have discovered a new way to target people through images sent on WhatsApp. Unlike most of the usual scams that request you to click suspicious links or share your OTP, this newest scam conceals dangerous malware within what seems to be a normal photo. Victims lose money, and they lose control of their phones without even knowing it, and the consequences can be severe.
How does the scam work?
Usually, the scam starts when you get a WhatsApp photo from an unknown number. Looking at the first glance, it seems to be just a harmless image, like sometimes a request for help to identify someone or a random picture. But this image contains malware that steals your banking details, passwords, OTPs, UPI details and even takes control of your phone. As soon as you open the infected image, the malware sneaks itself onto your device. Unlike other scams, you will not receive any warning or OTP request. Once the malware is on your phone, it can access your sensitive information and, in some cases, let the criminals control your phone remotely.
What type of malware is used for these scams?
Steganography is increasingly becoming a tool of choice for malware. It is easy to imagine that a common method will use Least Significant Bit (LSB) steganography, when malicious code is hidden in the least significant pixels of a file, making it invisible to a human eye. The concealed malware is extracted and silently executed when a victim opens such a file, giving the attackers remote access to the device. This access gives them the ability to intercept one-time passwords (OTPs), mimic voices as reported in the Jabalpur case and steal sensitive information such as passwords and UPI PINs. In some cases, stolen credentials have been used to withdraw funds from an ATM without authorisation, as in the case of Hyderabad.
These attacks involve malware types such as spyware and keyloggers that monitor all of the activity from the device, and Remote Access Trojans (RAT), malware that enables attackers to take control of the device from a remote location. Banking Trojans are also used to take over the victim’s financial applications and bypass two factor authentication. These malicious files are distributed through compromised media files sent through platforms such as WhatsApp, which seem normal to bypass security checks. Attackers may also try social engineering, sending repeated contention or calls in hope of persuading the victims to open the infected files. Such threats are not usually picked up by traditional antivirus solutions since the malware is hidden beneath looking for legitimate files and victims do not receive any OTP alerts.
Real-Life example: The Jabalpur case
One such reported case was in Jabalpur in Madhya Pradesh where a man was asked for help to identify someone in a photo on WhatsApp from an unknown number. He had ignored the first message, but then the same number kept calling him. He clicked on the image eventually and his phone was immediately taken over. The malware got access to his financial data and in a very short time, Rs.2 lakh was stolen from his bank account.
Meta's Security Shortcomings: Why Recent WhatsApp Flaws Raise Concerns
The recent WhatsApp security vulnerabilities have highlighted how Meta is not really concerned about user safety. Attackers were able to disguise malware as harmless media files because WhatsApp failed to properly verify the type of file. Meta fixed the issue with version 2.2450.6, however, the delay in releasing the patch is alarming as it shows a delay in dealing with security threats. The problem is compounded by the fact that Meta relies on users to manually update the app, unlike competitors who silently update the apps. In addition, Meta has not fully revealed the discovery process, or how much risk is at stake. It shows from this pattern of late responses and insufficient communication, that Meta needs to embrace strong security measures and genuine practices aimed at protecting its users.
How to protect yourself?
- Don’t download media from unknown contacts: If you receive a message from an unknown number with images or videos in it, having thumbnails, delete it right away without opening.
- Disable auto-download of media in WhatsApp: Go to WhatsApp Settings > Storage and Data > Media Auto-Download and uncheck all options for photos, videos, audio and documents. It stops automatic downloading of media files that could be dangerous.
- Keep your phone’s software and antivirus applications updated: Malware updates are included in regular updates so that they can help prevent your device from new threats.
- Promote a drive among friends and family: Let people educate their less tech oriented like elderly relatives about a risk with these unsolicited media messages and how to handle them safely.
- Report suspicious numbers; if you think someone is scamming you, report it to WhatsApp and block the sender. You can also report such incidents in India at the cybercrime portal: cybercrime.gov.in.
- Even contact numbers of known contacts should be approached with caution, since scammers often hack accounts and send malware using trusted numbers. Do not respond to or attempt to verify the authenticity of a message that seems suspicious.
Future Outlook
The use of technology requires all to be alert for cybercriminals to have sharpened their wits. The WhatsApp image scam is a perfect example of how something as simple as opening a photo can lead to a loss of money and privacy. If we follow a few safety steps and spread awareness we tend to protect ourselves and others from being victims to them. Be careful and think twice before opening any unknown image on WhatsApp.
Read More:
Inside Lenovo’s AI and hybrid cloud strategy for Indian enterprises
Human error and insider threats: Tackling weakest link in cyber security
Quantum computing boom: Innovations, investments, cyber security risks