Tuesday, January 14, 2025
HomeAndroidNew WhatsApp RCE Vulnerability Let Remote Hackers Steal the Files in Your...

New WhatsApp RCE Vulnerability Let Remote Hackers Steal the Files in Your Android Phone Using Malformed GIF’s

Published on

A security researcher discovered a critical Double-free vulnerability in WhatsApp allows remote attackers to take control of your Android phone and Steal the files by sending malformed GIFs.

Facebook-owned privacy-oriented messenger WhatsApp is one of the Top-ranked Messanger apps with more than Billion users around the world in both Android and iPhone.

The researcher found that the Double-free vulnerability that resides in the WhatsApp‘s Gallery view implementation, which is mainly used to generate a preview for media such as images, videos, and GIFs.

To Exploit this double-free vulnerability, the attacker sends a GIF file to the targeted Android device via any channels and the user just needs to open a gallery via pressing the Paper Clip button in WhatsApp.

A researcher with the nickname of Awakened, find this Double-free vulnerability in WhatsApp said through his Technical Writeup “user does not have to send anything because just opening the WhatsApp Gallery will trigger the bug. No additional touch after pressing WhatsApp Gallery is necessary.”

WhatsApp Double-free vulnerability Attack Vectors

Attackers can exploit this vulnerability using two different attack vectors that are both local privilege escalation and remote code execution on victims’ Android devices.

With Local privilege Escalation, the Attacker will install a malicious app in the victims’ Android Phone, and the app can collect addresses of zygote libraries and generates a malicious GIF file.

Once the Malicious GIF file implant to the Android devices, it can execute the code in the WhatsApp context and app eventually steal the files from WhatsApp sandbox that includes a message database.

In Remote code execution Attack Vector, Attackers can abuse and pair with the application such as a browser that has remote memory information disclosure vulnerability to collect the addresses of zygote libraries and craft a malicious GIF file.

Later he will send the malicious GIF file to the targeted victims via WhatsApp with the format of the attachment( not as an image through Gallery Picker).

Once the user will open the gallery view through WhatsApp, The malicious GIF file will eventually trigger the remote shell in the WhatsApp context.

RCE Exploit Demonstration

Awakened create a proof-of-concept for this Whatsapp Double-free vulnerability and demonstrate the attack in the below video.

In this Video Demo, We could see that the malicious GIF file received and the file can be received the file via any medium.

The Corrupted GIF file is downloaded automatically without any user interaction in the victims mobile.

If the victims want to send any media file to his friends, he needs to tap the Paper clip button and opens the WhatsApp Gallery to choose a media file to send to his friend.

Since the bug resides in the WhatsApp‘s Gallery view implementation, the user does not have to send anything because just opening the WhatsApp Gallery will trigger the bug without any additional touch.

“By default, WhatsApp shows previews of every media (including the GIF file received), it will trigger the Whatsapp Double-free vulnerability and our RCE exploit.” Awakened said.

The vulnerability has been successfully tested in Android 8.1 and 9.0 and if you’re using any below than WhatsApp version 2.19.244 then its times to update your WhatsApp Immediately.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Also Read: WhatsApp Privacy Flaw – Delete for Everyone Feature Fails to Delete Media from iPhone

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New FireScam Android Malware Abusing Firebase Services To Evade Detection

FireScam is multi-stage malware disguised as a fake “Telegram Premium” app that steals data...

Hackers Weaponize Security Testing By Weaponizing npm, PyPI, & Ruby Exploit Packages

Over the past year, malicious actors have been abusing OAST services for data exfiltration,...

Android Security Updates: Patch for Critical RCE Vulnerabilities

The January 2025 Android Security Bulletin has issued important updates regarding critical vulnerabilities that...