A new vulnerability has been described in WhatsApp that could leave Android devices open to remote code execution (RCE) attacks. According to a security researcher, the flaw could be exploited on Android and give attackers elevated privileges through exploiting a double-free bug.

Described by Awakened, a self-professed “technologist and an information security enthusiast”, the flaw was highlighted on Microsoft’s GitHub.

Luckily, for bad actors seeking to take advantage of the flaw, it will be a complicated process. Attackers would need to send an infected GIF file to an intended victim. This GIF could come through any channel, such as email or through WhatsApp.

Yes, this seems like a classic phishing attack, but the victim would need to download the GIF to a device and then open the WhatsApp gallery to send the file to another user. It is worth noting the GIF does not have to be resent, but simply the WhatsApp gallery opening. When opened the attack will trigger.

“When a WhatsApp user opens Gallery view in WhatsApp to send a media file, WhatsApp parses it with a native library called libpl_droidsonroids_gif.so to generate the preview of the GIF file…

“When the WhatsApp Gallery is opened, the said GIF file triggers the double-free bug on rasterBits buffer with size sizeof(GifInfo). Interestingly, in WhatsApp Gallery, a GIF file is parsed twice. When the said GIF file is parsed again, another GifInfo object is created. Because of the double-free behavior in Android, GifInfo info object and info->rasterBits will point to the same address. DDGifSlurp() will then decode the first frame to info->rasterBits buffer, thus overwriting info and its rewindFunction(), which is called right at the end of DDGifSlurp() function.”

Patched

Awakened explains the vulnerability can only be exploited on Android 8.1 and 9.0, and only on WhatsApp version 2.19.230. Considering this narrow exploit field and complicated attack process, the bug is not exceptionally dangerous.

Still, Facebook has been informed and the company did send out a patch that arrived in WhatsApp version 2.19.244.