A researcher has discovered a bug in WhatsApp for Android that takes advantage of malicious GIFs to potentially give access to hackers to files and messages on a users’ device. The researcher, who goes by the name Awakened has put out a detailed post on GitHub that reveals the double-free vulnerability in WhatsApp.
Facebook has since patched the vulnerability in WhatsApp version 2.19.244 for Android after the company was notified by the researcher. The Android versions that were affected by the app were Android 8.1 and 9.0, so those on Android 8.0 and below shouldn’t be worried.
The exploit relies on malicious GIF files that can be sent by attacker to a user via WhatsApp as an attachment. When the user clicks on the Paper click icon to open Gallery to choose media to send to any contact, the bug is triggered. “Since WhatsApp shows previews of every media (including the GIF file received), it will trigger the double-free bug and our RCE exploit,” Awakened explained in the post. The bug can potentially gain access to the user’s device.
Facebook confirmed in an email statement to the TheNextWeb that the issue was addressed last month in August. However, a WhatsApp spokesperson told the site that the exploit can be pulled off only when the user takes action to send a GIF, which the researcher disagreed with.
The researcher said in an email to TheNextWeb that WhatsApp’s claim is not correct. “The spokesperson must have misunderstood the issue,” he added. Awakened also posted a video that showcases the steps to carry out the attack.