A picture is worth a thousand words, but a GIF is worth a
thousand pictures.

Today, the short looping clips, GIFs are everywhere—on your
social media, on your message boards, on your chats, helping users
perfectly express their emotions, making people laugh, and reliving
a highlight.

But what if an innocent-looking GIF greeting with Good morning,
Happy Birthday, or Merry Christmas message hacks your
smartphone?

Well, not a theoretical idea anymore.

WhatsApp has recently patched a critical security vulnerability in
its app for Android, which remained unpatched for at least 3 months
after being discovered, and if exploited, could have allowed remote
hackers to compromise Android devices and potentially steal files
and chat messages.

WhatsApp Remote Code Execution Vulnerability

The vulnerability, tracked as CVE-2019-11932, is a
double-free memory corruption bug that doesn’t actually reside in
the WhatsApp code itself, but in an open-source GIF image parsing
library natively included in Android OS and used by WhatsApp.

Discovered by Vietnamese security researcher Pham Hong Nhat
in May this year, the issue successfully leads to remote code
execution attacks, enabling attackers to execute arbitrary code on
targeted devices in the context of WhatsApp with the permissions
the app has on the device.

How Does WhatsApp RCE Vulnerability Work?

WhatsApp uses the parsing library in question to generate a preview
for GIF files when users select them from their device’s image
gallery before sending GIF messages to their friends or family.

Thus, to be noted, the vulnerability does not get triggered just
by sending a malicious GIF file to a victim; instead it gets
executed when the victim itself tries to send a malicious GIF
stored in the gallery to someone.

All an attacker needs to do is send a specially crafted malicious
GIF file to a targeted Android user via any online communication
channel and wait for the user to open the image gallery in WhatsApp
and select that malicious GIF file.

However, if attackers want to send the GIF file to victims via
any messaging platform like WhatsApp or Messenger, they need to
send it as a document file rather than media file attachments,
because image compression used by these services distort the
malicious payload hidden in images.

As shown in a proof-of-concept video demonstration the researcher
shared with The Hacker News, the vulnerability can eventually be
exploited to simply pop-up a reverse shell remotely from the hacked
device.

Vulnerable Apps, Devices and Available Patches

Since the flaw originates from a native Android library, the issue
affects WhatsApp versions 2.19.230 and older versions running on
Android 8.1 and 9.0, but does not work for Android 8.0 and below.

Nhat told The Hacker News that he reported the vulnerability to
Facebook, who owns WhatsApp, in late July this year, and the
company included a security patch in WhatsApp version 2.19.244
released in September.

Therefore, to protect yourself against any exploit surrounding
this vulnerability, you are recommended to update your
WhatsApp^[2] to the latest version
from the Google Play Store as soon as possible.

Apparently, WhatsApp for iOS is not affected by this
vulnerability.

The developer of the affected GIF library, called Android GIF
Drawable, has also released version
1.2.18^[3] of the software to patch
the double-free vulnerability.

Besides this, it is also possible that any other Android app
using the same affected library to parse GIF files could also be
vulnerable to similar attacks.

^[1]