Researchers at Symantec on Monday disclosed the security flaw, which undermines the notion that content in encrypted apps is impervious to manipulation, according to Yair Amit, chief technology officer of Modern OS Security at Symantec.

“End-to-end encryption is a very important mechanism to assure the integrity of communication, but it isn’t enough if app-level vulnerabilities exist in the code,” Amit says.

This particular hack is called media jacking, because it lets hackers hijack the files someone has stored in WhatsApp, and potentially alter them without being detected. A similar flaw was also found in Telegram, another encrypted messaging app, Symantec said on Monday.

Android smartphones set to store media files from apps externally are vulnerable. The hack takes advantage of the time between when a file is stored, and when it is opened by the user in an app.

During that window, hackers can use malware to manipulate the files in-real time, without the recipient realizing they received a doctored document, according to Symantec. The attack can be launched from the smartphone of someone sending a message, or from the recipient’s smartphone.

The exploit could be used for nefarious purposes including altering an invoice to trick a customer into paying another account or altering faces in a photo, according to Symantec’s research.

While there’s no evidence that the security flaw has been used, Amit says the best defense is for people to disable the external storage feature for apps.

In May, WhatsApp told users to immediately update its app after the Facebook-owned company said it had discovered a vulnerability that could let hackers insert and execute code on mobile devices. The hole allowed hackers to install surveillance software that could let them snoop on their target.