The vulnerability resides “libpl_droidsonroids_gif” library which is the part of the android-gif-drawable package. The library is responsible for providing Views and Drawable for displaying animated GIFs on Android.
The vulnerability was patched with version 2.19.244, affected version 1.2.15, but the problem is, still several apps that use the old version are under risk.
The vulnerability was discovered by security researcher Awakened in WhatsApp and he managed to convert the double-free bug to an RCE.
Facebook acknowledged the vulnerability and patched with WhatsApp version 2.19.244 or above, users are recommended to update with a new version to stay safe.
An attacker could exploit this vulnerability by sending a crafted zip file that contains three frames with sizes 100, 0 and 0. With Android double-free of the memory size leads to double-free vulnerability.
- After the first re-allocation, we have info->rasterBits buffer of size 100.
- In the second re-allocation of 0, info->rasterBits buffer is freed.
- In the third re-allocation of 0, info->rasterBits is freed again.
Trend Micro has published a video demonstrating the vulnerability.
Impact of the vulnerability
Earlier it was mentioned only the WhatsApp was affected, but there are more than 28,300 Android Apps that use android-gif-drawable are under risk. These apps are in Google play and with other third-party stores.
According to the Trend Micro report, “As it turned out, quite a few. On Google Play alone, we found more than 3,000 applications with this vulnerability. We also found many other similar apps hosted on third-party app stores such as 1mobile, 9Apps, 91 market, APKPure, Aptoide, 360 Market, PP Assistant, QQ Market, and Xiaomi Market.”
Here you can find the list of vulnerable apps. If you use any one of the vulnerable apps that it may let an attacker to exploit the vulnerability and to take control over the device.