A WhatsApp bug lets malicious media files spread through group chats

### Executive summary Google Project Zero disclosed a zero-click WhatsApp for Android vulnerability that allows an attacker to add a target to a newly created group and have malicious media automatically downloaded and used as an attack vector; Meta applied a partial server-side change but a full fix is pending. The report warns this is likely to be used in targeted campaigns, and provides actionable mitigations for users (disable automatic downloads, restrict who can add you to groups, and enable two-step verification).