Gone are the days when malicious links or fake calls were the only threats on WhatsApp. In a shocking case from Jabalpur, a 28-year-old man lost Rs 2 lakh after downloading a simple image that he received on WhatsApp. There were no suspicious links or phone calls- just one image that unleashed chaos. This new photo scam uses a technique called steganography, which enables cybercriminals to embed malicious code within normal-looking images. Once the image is downloaded, the malware silently installs itself on your phone, stealing passwords, reading OTPs, and giving hackers access to your banking apps, without you even knowing it is a trap.
WhatsApp has over 3 billion monthly users around the world, with around half a billion active in India. While its vast user base makes it easier for Indian users to connect, the platform is also becoming a petri dish for cybercriminals to grow their scams. We’ve seen scammers using WhatsApp to call people, send phishing links, and whatnot. However, now these scammers are using image files to steal users’ sensitive information and money.
Steganography is a method used to conceal data within media files. The process can be used to hide any virtual content — including text, images, videos, or audio — and the data remains hidden until it’s extracted by the receiver. Now, scammers are using this very method to steal money. They’re sending malware concealed in WhatsApp images forwards. The malware is often embedded in common formats such as .jpg, .png, .mp3, or .mp4 — files that appear safe to users. However, the malicious code is hidden in the image’s metadata or the least significant bits (LSB) of image data — this is a tiny section that does not affect the appearance but can carry concealed instructions. Once a user downloads or views this infected image, the malware silently installs itself on their device. It can access stored passwords, intercept OTPs. What makes this scam more harmful is that, unlike traditional malware like phishing links, steganographic malware leaves minimal traces and often goes undetected by antivirus software running on the devices.
According to cybersecurity professionals, detecting steganographic malware requires advanced forensic tools and behavioural analysis. Most consumer-grade antivirus apps scan for known threats or suspicious file behaviour, but they aren’t equipped to detect hidden code embedded in media files. In the case from Jabalpur, after downloading the WhatsApp-forwarded image, the malware linked to the file gained access to his phone, intercepted sensitive data, and later allowed the scammers to facilitate the unauthorised withdrawal.
How to stay safe from the WhatsApp image scam
While platforms like WhatsApp are working to make the app more secure, users also need to take proactive steps to protect themselves. Here are some key precautions:
- Disable auto-download: Go to WhatsApp Settings > Storage and Data, and turn off automatic media download. This step will prevent suspicious files from being saved to your phone without your consent.
- Do not download media from unknown contacts: If an unknown WhatsApp user sends you an image, don’t open or download it. If the person seems suspicious, block and report the number immediately.
3 Limit group invites: Set your WhatsApp group privacy settings to ‘My Contacts’ to avoid being added to unknown groups.
4. Avoid sharing sensitive information: Never share OTPs or banking details — even if the request seems to come from someone you know. Always verify through other channels before responding.
Some clues might indicate you’ve received a suspicious message or that the sender
Typos or grammatical mistakes. Asking you to tap on a link, activate a new feature through a link, or download an app. Asking you to share your personal information, like credit card or bank account numbers, birth date, or passwords. Asking you to forward a message asking for money or claiming that you have to pay to use WhatsApp. The scammer pretends they’re someone you know
The message is about the lottery, gambling, a job, an investment, or a loan
The person starts chatting with you to gain your trust before asking for personal information. When you receive messages from someone that is not in your contacts, we will show you signals in the message that you can use to determine how to respond. These signals will let you know if they’re your contact, if you have groups in common, and if their phone number is registered in a different country. From there, you can decide if you should reply, add them as a contact, block them or report them.
If a message looks suspicious or sounds too good to be true, don’t tap, share, or forward it. If you identify a suspicious message, follow the steps in this article.
Always look closely at a link or file before opening it because it may appear to be legitimate, but could be malicious. Visit our Help Center to learn more about suspicious files. As a best practice, if you aren’t sure whether something is true or don’t know who wrote the message you received, don’t forward it.
If you’re unsure of an unknown contact’s identity, ask them a personal question to confirm their identity and if they’re truly a known contact. You could also do a voice or video call with them to confirm their identity.
