WhatsApp vulnerability could compromise Android smartphones

A researcher has released details of a WhatsApp remote code execution (RCE) flaw it is claimed could be used to compromise not only the app but the mobile device the app is running on.

Reported to Facebook some weeks ago by a researcher called ‘Awakened’, the critical issue (CVE-2019-11932) affects users of the Android versions of the app, specifically versions 8.1 and 9.0 although not, apparently, version 8.0 (Apple’s iOS doesn’t appear to be affected).

It’s described as a double-free memory vulnerability in a WhatsApp image preview library called libpl_droidsonroids_gif.so, and some aspects of how it might execute remain unclear.

The researcher says an attack would involve first sending a malicious GIF image using any channel, that is by email, a rival messaging app, or sent direct through WhatsApp itself.

If WhatsApp is being used, and the attacker (or hapless intermediary) is on the contacts list of the user as a friend, apparently this GIF would download to the device automatically.

Execution would happen when the recipient subsequently opens the WhatsApp Gallery even if no file is selected or sent. Writes Awakened:

Since WhatsApp shows previews of every media (including the GIF file received), it will trigger the double-free bug and our RCE exploit.

To back this up, Awakened has released a video showing the sequence of events running on WhatsApp v2.19.203.