Delivering GIFs via WhatsApp could have resulted in Android phone hack

WhatsApp patches the flaw helping hackers to misuse the malicious code in GIF image libraries

Hackers might misuse the CVE-2019-11932 flaw by executing malicious code through GIF libraries

A potentially dangerous vulnerability helping hackers to execute commands remotely was found in a well known WhatsApp platform suitable for Android phones. Dubbed CVE-2019-11932,^[1] the flaw does not exist in the app's code itself but is included in GIF image libraries that are originally placed in Androids instead.

WhatsApp is a well-known application for Android users as it includes various functions, including exchanging text and voice messages, making voice and video calls, delivering images, documents, and various files. In February 2018, this app gained one and a half-billion users that made it the most popular communication platform in the entire world.^[2]

However, a Vietnam-based cybersecurity researcher named Pham Hong Nhat was the one who had found the remote code execution vulnerability in May this year. It is believed that the code could have been used to steal important files and information from WhatsApp users if exploited by bad actors. The bug is already patched, however, it remained unfixed for three months or even more after it was discovered.

Hackers might be able to access all functions that are included in WhatsApp

According to the Vietnamese researcher, the CVE-2019-11932 flaw allows potential criminals to run tasks remotely and launch arbitrary code by manipulating the permissions that WhatsApp has access to on the Android mobile phone device. Nevertheless, the hacker might be able to access the app's database and also view data and files that are stored in the device's SD Card.

By manipulating the vulnerability and running malicious payload remotely, the hackers will supposedly be granted the same permissions that are included in the WhatsApp platform. These types of functions refer to:

• Viewing files, pictures, videos.
• Reading text messages and listening to voice messages.
• Recording audio files.

As we have already mentioned, this flaw is also linked to sending GIFs. A GIF (also known as Graphics Interchange Format) is a collection of moving images (almost like a very short video that goes on and on). GIF services are also very popular amongst our population and they can also be delivered through WhatsApp services. Regarding the CVE-2019-11932 vulnerability, the generating process of the preview of the GIF component works like this:^[3]

When a WhatsApp user opens Gallery view in WhatsApp to send a media file, WhatsApp parses it with a native library called libpl_droidsonroids_gif.so to generate the preview of the GIF file.

Criminals need to provide the GIF file in document format for the vulnerability to work

The flaw is misused for malicious attacks and purposes only when the user himself sends the maliciously-created GIF file to another user instead of the criminal forcibly delivering it to random contacts. All that needs to be done is the user to select the “right” GIF from the image gallery on the Android device and send it via the WhatsApp platform.

Even more interesting is the fact that bad actors have to provide the GIF file in a format of a document rather than sending it in a media file format if they are likely to distribute the malicious GIFs to some types of communication apps. If the hacker delivers the GIF in a media file format, WhatsApp will automatically convert it to an MP4 component and the malicious plan will not work properly:

Then copy the content into a GIF file and send it as Document with WhatsApp to another WhatsApp user. Take note that it must not be sent as a Media file, otherwise WhatsApp tries to convert it into an MP4 before sending.

Android 8.0 and other older variants are not affected by the CVE-2019-11932 flaw

According to security reports, the vulnerability is active only for WhatsApp variants such as 2.19.230 and some previous ones that are operating on Android OS versions such as 8.1 and 9.0. Note that the flaw is incapable of reaching operating systems versions such as Android 8.0 and other older ones. In addition, the vulnerability is also not compatible with the iOS version of WhatsApp.

This big issue has been reported to Facebook which is the owner of the WhatsApp platform at the end of July. The company took serious actions against this flaw and released the new WhatsApp version dubbed 2.19.244 which includes the patch for the CVE-2019-11932 vulnerability.^[4]

If you also are a WhatsApp user and have not yet updated your communication platform, you should go to the Play Store and do it right away in order to avoid the potential danger that is hiding under the flaw. Continuously, the affected GIF library was also fixed by its developer by releasing the new 1.2.18 software version.^[5]