📄 WhatsApp Android Contact Gating Bypass

Background
    
    To prevent security issues and spam, WhatsApp for Android requires some form of user interaction to automatically download files from non-contacts:
    
    a. After adding someone as a contact, all future received images/files will be downloaded.
    b. For individual chats, if you respond to a non-contact future media/documents will be automatically downloaded.
    c. For group chats, opening the group once will cause all future messages to be downloaded from that group.
    d. Manually pressing download on an image from a non-contact will also download the media/document.
    
    After downloading files they can appear in the MediaStore database which can open up attack surface. Whatsapp calls MEDIA_SCANNER_SCAN_FILE immediately after download on the file so it should show up immediately in MediaStore. Vulnerabilities that bypass any of these, can result in vulnerabilities like
    
    PZ-442423708 and PZ-443741909 being reachable without any of the user interaction listed above. This vulnerability requires the precondition of knowing, guessing, or leaking a contact making it lower severity than a full contact gating bypass. However it's easy to attempt this many times in quick succession, and likely easy to guess contacts in targeted attacks.
    
    VULNERABILITY DETAILS/REPRODUCTION CASE
    
        Attacker creates a WhatsApp Group
        Attacker adds Victim to Whatsapp Group
        Attacker adds Victim's Contact to Whatsapp group
        Attacker promotes Victim's Contact to admin
        Attacker sends a presumably malicious image to the WhatsApp Group (WhatsApp web is the easiest to avoid errors on the sender's client)
        Victim's device will automatically download the image without ever interacting with the group
        6.a. Note the image is not downloaded by the Victim's Contact
    
    Note, to verify the photo is now in the MediaStore database run adb shell content query --uri content://media/external/file --projection _data on the Victim's device.
    
    Note: Disabling Automatic Download or enabling WhatsApp Advance Privacy Mode prevents the file from being automatically downloaded.
    
    VERSION
    
    WhatsApp Version: 2.25.23.81 (stable on WhatsApp Website).
    WhatsApp Version: 2.25.22.80 (stable on play store)
    
    Credit Information
    
    Brendon Tiszka of Google Project Zero.
    
    This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2025-11-30.