Friday, April 11, 2025
Follow us On Linkedin
HomeAndroidGIF Processing Vulnerability That Present in WhatsApp Also Affects More Than 28,300...

GIF Processing Vulnerability That Present in WhatsApp Also Affects More Than 28,300 Android Apps

AndroidVulnerability

Published on

By Gurubaran
Double-free Bug

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

WhatsApp recently patched a vulnerability that allows remote attackers to execute arbitrary code or cause a DoS situation. The vulnerability can be tracked as CVE-2019-11932.

The vulnerability resides “libpl_droidsonroids_gif” library which is the part of the android-gif-drawable package. The library is responsible for providing Views and Drawable for displaying animated GIFs on Android.

The vulnerability was patched with version 2.19.244, affected version 1.2.15, but the problem is, still several apps that use the old version are under risk.

- Advertisement - Google News

Double-free Bug

The vulnerability was discovered by security researcher Awakened in WhatsApp and he managed to convert the double-free bug to an RCE.

Facebook acknowledged the vulnerability and patched with WhatsApp version 2.19.244 or above, users are recommended to update with a new version to stay safe.

An attacker could exploit this vulnerability by sending a crafted zip file that contains three frames with sizes 100, 0 and 0. With Android double-free of the memory size leads to double-free vulnerability.

  • After the first re-allocation, we have info->rasterBits buffer of size 100.
  • In the second re-allocation of 0, info->rasterBits buffer is freed.
  • In the third re-allocation of 0, info->rasterBits is freed again.

Trend Micro has published a video demonstrating the vulnerability.

Impact of the vulnerability

Earlier it was mentioned only the WhatsApp was affected, but there are more than 28,300 Android Apps that use android-gif-drawable are under risk. These apps are in Google play and with other third-party stores.

According to the Trend Micro report, “As it turned out, quite a few. On Google Play alone, we found more than 3,000 applications with this vulnerability. We also found many other similar apps hosted on third-party app stores such as 1mobile, 9Apps, 91 market, APKPure, Aptoide, 360 Market, PP Assistant, QQ Market, and Xiaomi Market.”

Here you can find the list of vulnerable apps. If you use any one of the vulnerable apps that it may let an attacker to exploit the vulnerability and to take control over the device.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Cyber Security News

Hands-On Labs: The Key to Accelerating CMMC 2.0 Compliance

INE Security Highlights How Practical, immersive training environments help defense contractors meet DoD cybersecurity...
CVE/vulnerability

CISA Issues 10 ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten new Industrial Control Systems...
Cyber Security News

Sensata Technologies Breached: Ransomware Attack Key Systems

Sensata Technologies Holding PLC, a global leader in sensor solutions and electrical protection, is...
Browser

TROX Stealer Harvests Sensitive Data Including Stored Credit Cards and Browser Credentials

Cybersecurity experts at Sublime have uncovered a complex malware campaign revolving around TROX Stealer,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

Register Now

More like this

CVE/vulnerability

CISA Issues 10 ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten new Industrial Control Systems...
Cyber Security News

Calix Devices Vulnerable to Pre-Auth RCE on Port 6998, Root Access Possible

A severe security flaw enabling unauthenticated remote code execution (RCE) with root privileges has...
CVE/vulnerability

AMD CPU Signature Verification Vulnerability Enables Unauthorized Microcode Execution

A vulnerability in AMD CPUs has been uncovered, enabling attackers with administrative privileges to...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved