WhatsApp Flaw Opens Android Devices to Remote Code Execution (October 3rd, 2019)

Description

A Singapore-based technologist and information security enthusiast known as “Awakened” has identified a flaw in the WhatsApp messaging platform on Android devices (Montalbano, 2019). It is recommended that you take the necessary precautions by ensuring your devices are always updated.

Summary

WhatsApp has recently patched a critical security vulnerability in its application for Android, which remained unpatched for at least three (3) months after being discovered. If exploited it could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. The exploit seems to affect primarily Android devices. According to the researcher, “The exploit works well for android 8.1 and 9 operating systems (OS), but does not work for Android 8.0 and below.”(Awakened, 2019) (The vulnerability,  tracked as CVE-2019-11932, is a double-free memory corruption bug that does not reside in the WhatsApp code itself, but in an open-source GIF image parsing library that WhatsApp uses. For those unfamiliar with the term, “a double-free vulnerability”, it refers to a memory corruption glitch that could crash an app, or worse open up and exploit path that attackers can abuse to obtain access to your device (Montalbano, 2019).

How does the WhatsApp RCE vulnerability Work?

WhatsApp uses the parsing library to generate previews for GIF files when users open their device gallery before sending any media file to their friends or family. Thus, a point to note is that the vulnerability does not get triggered by sending a malicious GIF file to a victim; instead it gets executed when the victim themselves simply opens the WhatsApp gallery picker while trying to send any media file to someone.

The Guyana National CIRT recommends users and administration to review the update and apply it where necessary.

References

Awakened. (2019, October 02). How a double-free bug in WhatsApp turns to RCE. Retrieved from github.io: https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/

Montalbano, E. (2019, October 03). WhatsApp Flaw Opens Android Devices to Remote Code Execution. Retrieved from Threatpost.com: https://threatpost.com/whatsapp-flaw-opens-Android-devices-to-remote-code-execution/148888/