Facebook has since released an update in September to counter the hacking attempts on older Android devices using suspicious GIF's containing malware that could be used to access extreme amounts of user data.
An unnamed technologist and information securityenthusiast known as "Awakened" has shared an exploit recently found in Whatsapp for Android 8.0 and 9.0 devices that could be exposing users to hacking using a malicious GIF.
In a blog post Awakened shared on Github, the exploit is a bug which can be easily set off if the user already has a malware or a malicious app which then collects data from the device without the user’s knowledge. The other means, viewed as more unavoidable, is executed remotely when a user opens an image attachment in the WhatsApp gallery. The Awakened Github page says,
Pairing with an application that has a remote memory information disclosure vulnerability (e.g. browser), the attacker can collect the addresses of zygote libraries and craft a malicious GIF file to send it to the user via WhatsApp (must be an attachment, not as an image through Gallery Picker). As soon as the user opens the Gallery view in WhatsApp ( who never sends media files to friends, right?), the GIF file will trigger a remote shell in WhatsApp context.
Marked as CVE-2019-11932, the double-free bug is not indigenous to WhatsApp code, but found in the open-source GIF image parsing library on the app. In light of this, developers of the Android GIF Drawable, the conduit for these attacks have also released a new software version to rectify the issue. The post adds that in other cases, if infiltrated the hack could even access user messaging on the app.
A malicious app is installed on the Android device. The app collects addresses of zygote libraries and generates a malicious GIF file that results in code execution in WhatsApp context. This allows the malware app to steal files in WhatsApp sandbox including message database.
In Android operating systems older than 8.0, it was recorded that the bug could still initiate contact but only a few moments before it crashes, nothing that the app mostly crashes prior to any data compromise.
Prior to this information, it has been shown that this vulnerability was discovered much earlier this year by a security researcher in Vietnam called Pham Hong Nhat in May who shared the reach of this exploit with thehackernews.com, stating,
The payload is executed under WhatsApp context. Therefore it has the permission to read the SD card and access the WhatsApp message database. Malicious code will have all the permissions that WhatsApp has, including recording audio, accessing the camera, accessing the file system, as well as WhatsApp’s sandbox storage that included protected chat database and so on…”
Nhat indicates that he shared the information with Facebook in July, however action was taken and the security patch added in a new update released in September. There is no explanation yet as to why it took so long for Facebook to resolve the issue, however users are advised to protect themselves by downloading and updating the app to the latestavailable version onto their devices as soon as possible to reduce risk.
Awakened added that the discovered information was also shared with Facebook and has contributed to the github post which details the technical intricacies of this issue and how to get rid of it using remote code execution (RCE).