A security researcher discovered a critical Double-free vulnerability in WhatsApp allows remote attackers to take control of your Android phone and Steal the files by sending malformed GIFs.
Facebook-owned privacy-oriented messenger WhatsApp is one of the Top-ranked Messanger apps with more than Billion users around the world in both Android and iPhone.
The researcher found that the Double-free vulnerability that resides in the WhatsApp‘s Gallery view implementation, which is mainly used to generate a preview for media such as images, videos, and GIFs.
To Exploit this double-free vulnerability, the attacker sends a GIF file to the targeted Android device via any channels and the user just needs to open a gallery via pressing the Paper Clip button in WhatsApp.
A researcher with the nickname of Awakened, find this Double-free vulnerability in WhatsApp said through his Technical Writeup “user does not have to send anything because just opening the WhatsApp Gallery will trigger the bug. No additional touch after pressing WhatsApp Gallery is necessary.”
WhatsApp Double-free vulnerability Attack Vectors
Attackers can exploit this vulnerability using two different attack vectors that are both local privilege escalation and remote code execution on victims’ Android devices.
With Local privilege Escalation, the Attacker will install a malicious app in the victims’ Android Phone, and the app can collect addresses of zygote libraries and generates a malicious GIF file.
Once the Malicious GIF file implant to the Android devices, it can execute the code in the WhatsApp context and app eventually steal the files from WhatsApp sandbox that includes a message database.
In Remote code execution Attack Vector, Attackers can abuse and pair with the application such as a browser that has remote memory information disclosure vulnerability to collect the addresses of zygote libraries and craft a malicious GIF file.
Later he will send the malicious GIF file to the targeted victims via WhatsApp with the format of the attachment( not as an image through Gallery Picker).
Once the user will open the gallery view through WhatsApp, The malicious GIF file will eventually trigger the remote shell in the WhatsApp context.
RCE Exploit Demonstration
Awakened create a proof-of-concept for this Whatsapp Double-free vulnerability and demonstrate the attack in the below video.
In this Video Demo, We could see that the malicious GIF file received and the file can be received the file via any medium.
The Corrupted GIF file is downloaded automatically without any user interaction in the victims mobile.
If the victims want to send any media file to his friends, he needs to tap the Paper clip button and opens the WhatsApp Gallery to choose a media file to send to his friend.
Since the bug resides in the WhatsApp‘s Gallery view implementation, the user does not have to send anything because just opening the WhatsApp Gallery will trigger the bug without any additional touch.
“By default, WhatsApp shows previews of every media (including the GIF file received), it will trigger the Whatsapp Double-free vulnerability and our RCE exploit.” Awakened said.
The vulnerability has been successfully tested in Android 8.1 and 9.0 and if you’re using any below than WhatsApp version 2.19.244 then its times to update your WhatsApp Immediately.