Whatsapp virus?

Cal

Hello.
I received a notification from Hypatia indicating that it has detected a possible virus in WhatsApp. It wasn’t a scan but a real‑time detection.
At the time of the alert I didn’t receive any file, only in two public groups (sports team and press), even though I have automatic file download disabled.
It also wasn’t updating. I don’t have the latest version of WhatsApp.
The folder where the alert appeared is
Android/media/com.whatsapp/whatsapp/.shared/(....)visualization.data

Is this a false positive? Should I be worried?
I’m letting you know that I’m using this for translation.

Watermelon

Cal I received a notification from Hypatia indicating that it has detected a possible virus in WhatsApp. It wasn’t a scan but a real‑time detection.

Antivirus apps can't scan app-private data, or stop data from entering an app based on its content. Antivirus apps can't scan the memory or network traffic of apps. The only way to try and stop exploits against an app is using GrapheneOS's per-app settings.

This is most likely a false positive, but even if not, it's most likely useless info still. There's nothing you can do to secure WhatsApp other than either stop using WhatsApp, tightening down WhatsApp settings, or enabling OS features like GrapheneOS's per-app exploit protections on WhatsApp.

Cal I had several crashes in WhatsApp a few months ago

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr (.....) threadName: com.whatsapp MTE: enabled

WhatsApp's legitimate code is well known to be triggering GrapheneOS's per-app exploit mitigations, such as memory tagging, because it's so shitty and irresponsibly written. I suggest you keep memory tagging enabled on WhatsApp if you can suffer through these crashes and silence the notifications for it, or disable memory tagging on WhatsApp if it's insufferable.

dhhdjbd (pretty sure i mostly heard that they are scams on android)

Antivirus apps can scan the contents of the installed apps (APKs): all their native code, Dalvik bytecode, included assets, etc. I wouldn't say they're a scam, but there's a lot of legitimate criticism about them.

Cal Yeah I know, they give you a false sensation of security.

Antivirus wouldn't give you a false sense of security once you understand that it's in no way a replacement for GrapheneOS's sandboxing, permissions, exploit mitigations, etc. :) You control your own thoughts, after all.

Cal Knowing that I have installed hypatia, a offline clamav style open source app, with the extended data base and I am aware that having a scanner doesn't mind I am protected anyway. It's just another precaution.

Do you have Google Play Store installed? If yes, you can just use Google Play Protect which is already included in it, and it probably has much fewer false positives than the app you use. It doesn't scan files though, only installed apps. You can disable its improve harmful app detection setting if you don't want it to upload unrecognized apps from your device.

Cal Should I be worried?

I suggest you to check my tips for WhatsApp here:
https://discuss.grapheneos.org/d/29977-privacy-in-the-messenger/23

Cal

A quick update

I had several crashes in WhatsApp a few months ago

signal: 11 (SIGSEGV), code 9 (SEGV_MTESERR), faultAddr (.....) threadName: com.whatsapp MTE: enabled

dhhdjbd

Cal

I never heard avout a virusscanner app beeing recommended (pretty sure i mostly heard that they are scams on android)

and furthermore whatsapp just has mte kind of bugs, it is just the app itself beeing trash/ they dont care

you can try virustotal (if this viruscanner detected something, virustotal should aswell)

but if you dont have a reason to believe that someone would hack you, the issue is most likely the virusscanner

Vomitorius

Whatsapp is worldwide known for being most exploited messenger by hackers, but people still keep using it.

Cal

Vomitorius

I have no other option than have it, as all my family and friends have it. :(

Also if the link of virus total contains private information, @mods please delete it

Vomitorius

Cal of course, being hacked is worth those friend messages.

CGG

@Cal do you have the content of the data? Google project zero have encountered some 0 click whatsapp flaw. You can check at their site.

Despite of that generally whatsapp flaws are bad processed files (for ex. media, photos, documents) that stole your session, make you send a virus or propagate to another users or even cause a RCE on your phone and take over it.

CGG

What i can say to you is that this file is part of whatsapp media playback... what is inside this media could be dangerous or not, just some voice message you sent or received. The best thing is try to identify the content of this file, send it to virustotal but i dont think you will find anything useful there... i hope you find but its not common antivirus identify those kinds of attack

Cal

CGG The best thing is try to identify the content of this file, send it to virustotal but i dont think you will find anything useful there... i hope you find but its not common antivirus identify those kinds of attack

I tried to find the file in the folder however as I didn't send them don't appear.

Cal

dhhdjbd I never heard avout a virusscanner app beeing recommended (pretty sure i mostly heard that they are scams on android)

Yeah I know, they give you a false sensation of security.

Knowing that I have installed hypatia, a offline clamav style open source app, with the extended data base and I am aware that having a scanner doesn't mind I am protected anyway. It's just another precaution.

Cal

I have news.

First of all thank you all!! Also @mods for deleting the link.

I got the same warning again, it happened when I started a voice message. However the warning was with the first try, I tried to do it again and don't warn again.

Cal

Watermelon thank you for all the tips and knowledge you shared.

Let's hope its a false positive as I understand its the most probable thing.