Android phone hacked using WhatsApp with a GIF image

A GIF image can be used to perform a remote code execution attack on Android smartphones using WhatsApp. It is a double-free memory corruption bug that doesn’t actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that WhatsApp uses. However, WhatsApp has recently patched the critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. The vulnerability was discovered by Vietnamese security researcher Pham Hong Nhat in May this year. It enables attackers to execute arbitrary code on targeted devices in the context of WhatsApp with the permissions the app has on the device.

The researcher stated in an interview “The payload is executed under WhatsApp context. Therefore, it has the permission to read the SDCard and access the WhatsApp message database”.  “Malicious code will have all the permissions that WhatsApp has, including recording audio, accessing the camera, accessing the file system, as well as WhatsApp’s sandbox storage that includes protected chat database and so on…”

The working WhatsApp RCE vulnerability:

A parsing library is used by WhatsApp to generate a preview for GIF files when users open their device gallery before sending any media file to their friends or family. Thus, the vulnerability only gets executed when the victim itself simply opens the WhatsApp Gallery Picker while trying to send any media file to someone. If an attacker wants to send the GIF file to victims via any messaging platform like WhatsApp or Messenger, they need to send it as a document file rather than media file attachments, because image compression used by these services distorts the malicious payload hidden in images.

The CVE of the vulnerability: CVE-2019-11932

Vulnerable Apps, Devices, and Available Patches:

The issue affects WhatsApp versions 2.19.230 and older versions running on Android 8.1 and 9.0, but does not work for Android 8.0 and below. To protect yourself against any exploit surrounding this vulnerability, you are advised to update your WhatsApp to the latest version from the Google Play Store as soon as possible.