“Media File Jacking” attack leverages already known fact that any app installed on a device can access and rewrite files saved in the external storage, including files saved by other apps installed on the same device. Attackers could take advantage of the relations of trust between a sender and a receiver when using these IM apps for personal gain or wreaking havoc. Users can mitigate the risk of such attacks by disabling the feature responsible for saving media files to the device’s external storage. Google’s upcoming Android Q update Android Q includes a new privacy feature called Scoped Storage.
Source: https://thehackernews.com/2019/07/media-files-whatsapp-telegram.html