WhatsApp Flaw Opens Android Devices to Remote Code Execution

A double-free bug could allow an attacker to achieve remote code execution; users are encouraged to update to a patched version of the messaging app.

A security researcher has identified a flaw in the popular WhatsApp messaging platform on Android devices, which could allow attackers to launch privilege elevation and remote code execution (RCE) attacks on victims.

Exploiting the flaw—described in a Wednesday post on GitHub by a Singapore-based “technologist and an information security enthusiast” called Awakened – is a rather complicated affair. An attack involves a bad actor sending a malicious GIF file to a victim via “any channel,” whether it’s an email or in a direct message on WhatsApp. After a victim has downloaded the GIF file onto his device, the second step happens when he opens the WhatsApp Gallery in order to send a media file to another user from WhatsApp (the victim doesn’t need to actually send anything, just open the WhatsApp Gallery).

That’s when the attack is triggered, according to Awakened. “Since WhatsApp shows previews of every media (including the GIF file received), it will trigger the double-free bug and our RCE exploit,” the researcher wrote.

The exploit works on Android 8.1 and 9.0 until WhatsApp version 2.19.230, but does not work for Android 8.0 and below, although the bug potentially still could be triggered in these versions, according to Awakened.

The researcher informed Facebook of the bug and the company has since released an official patch for the app in WhatsApp version 2.19.244, according to Awakened. The researcher advised users to update to this version to “stay safe from this bug.”

A double-free bug (CVE-2019-11932) relies on calling to the same memory location twice, which can either crash an app or open a vulnerability.

In this case, when a WhatsApp user opens the Gallery view to send a media file, WhatsApp parses it with a native open-source library called libpl_droidsonroids_gif.so to generate the preview of the GIF file, which contains multiple encoded frames, according to Awakened.

“To store the decoded frames, a buffer with name rasterBits is used,” the researcher wrote. “If all frames have the same size, rasterBits is re-used to store the decoded frames without re-allocation.”

However, if one of three conditions is met, rasterBits could be re-allocated, which can trigger an event that allows an attacker to exploit the vulnerability, according to Awakened.A video demo also is available online showing how the attack works.

Once exploited, there are two attack vectors that attackers can leverage, according to Awakened. The first is local privilege escalation, in which a malicious app is installed on the device that collects addresses of zygote libraries (zygote is the template process for each app and service started on the device) and generates a malicious GIF file that results in code execution in WhatsApp context.

“This allows the malware app to steal files in WhatsApp sandbox including message database,” the researcher wrote.

The second option is the aforementioned RCE, in which an attacker pairs with an application that has a remote memory information disclosure vulnerability to collect the addresses of zygote libraries and craft a malicious GIF file. This then can be sent to the user via WhatsApp as an attachment, according to the post.

“As soon as the user opens the Gallery view in WhatsApp … the GIF file will trigger a remote shell in WhatsApp context,” the researcher wrote.

The flaw is the latest of a flurry of vulnerabilities found in recent months on the messaging app used daily by 300 million people worldwide. In May researchers identified a zero-day flaw that could allow attackers to inject spyware onto user’s machines. Then in July, a developer-coding flaw was found that allows cyber attackers to intercept media files sent on the Android platform.

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles