New WhatsApp RCE Vulnerability Let Remote Hackers Steal the Files in Your Android Phone Using Malformed GIF’s

A security researcher discovered a critical Double-free vulnerability in WhatsApp allows remote attackers to take control of your Android phone and Steal the files by sending malformed GIFs.

Facebook-owned privacy-oriented messenger WhatsApp is one of the Top-ranked Messanger apps with more than Billion users around the world in both Android and iPhone.

The researcher found that the Double-free vulnerability that resides in the WhatsApp‘s Gallery view implementation, which is mainly used to generate a preview for media such as images, videos, and GIFs.

To Exploit this double-free vulnerability, the attacker sends a GIF file to the targeted Android device via any channels and the user just needs to open a gallery via pressing the Paper Clip button in WhatsApp.

A researcher with the nickname of Awakened, find this Double-free vulnerability in WhatsApp said through his Technical Writeup “user does not have to send anything because just opening the WhatsApp Gallery will trigger the bug. No additional touch after pressing WhatsApp Gallery is necessary.”

WhatsApp Double-free vulnerability Attack Vectors

Attackers can exploit this vulnerability using two different attack vectors that are both local privilege escalation and remote code execution on victims’ Android devices.

With Local privilege Escalation, the Attacker will install a malicious app in the victims’ Android Phone, and the app can collect addresses of zygote libraries and generates a malicious GIF file.

Once the Malicious GIF file implant to the Android devices, it can execute the code in the WhatsApp context and app eventually steal the files from WhatsApp sandbox that includes a message database.

In Remote code execution Attack Vector, Attackers can abuse and pair with the application such as a browser that has remote memory information disclosure vulnerability to collect the addresses of zygote libraries and craft a malicious GIF file.

Later he will send the malicious GIF file to the targeted victims via WhatsApp with the format of the attachment( not as an image through Gallery Picker).

Once the user will open the gallery view through WhatsApp, The malicious GIF file will eventually trigger the remote shell in the WhatsApp context.

RCE Exploit Demonstration

Awakened create a proof-of-concept for this Whatsapp Double-free vulnerability and demonstrate the attack in the below video.

In this Video Demo, We could see that the malicious GIF file received and the file can be received the file via any medium.

The Corrupted GIF file is downloaded automatically without any user interaction in the victims mobile.

If the victims want to send any media file to his friends, he needs to tap the Paper clip button and opens the WhatsApp Gallery to choose a media file to send to his friend.

Since the bug resides in the WhatsApp‘s Gallery view implementation, the user does not have to send anything because just opening the WhatsApp Gallery will trigger the bug without any additional touch.

“By default, WhatsApp shows previews of every media (including the GIF file received), it will trigger the Whatsapp Double-free vulnerability and our RCE exploit.” Awakened said.

The vulnerability has been successfully tested in Android 8.1 and 9.0 and if you’re using any below than WhatsApp version 2.19.244 then its times to update your WhatsApp Immediately.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Also Read: WhatsApp Privacy Flaw – Delete for Everyone Feature Fails to Delete Media from iPhone

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

15 hours ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

15 hours ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

15 hours ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

15 hours ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

15 hours ago

DigiEver IoT Devices Exploited To Deliver Mirai-based Malware

A new Mirai-based botnet, "Hail Cock Botnet," has been exploiting vulnerable IoT devices, including DigiEver…

15 hours ago