Facebook-owned messaging app WhatsApp, recently fixed a security vulnerability in its Android-based applications, after a security researcher reported the issue nearly three months back.
According to a researcher, who goes by a name Awakened, the vulnerability could have allowed hackers to compromise Android devices remotely, allowing them to steal files and chat messages. The vulnerability, named CVE-2019-11932, is a double-free memory corruption bug that exists in the open-source GIF image library that WhatsApp uses to generate previews for videos, images, and GIFs.
The researcher stated the flaw allows the attackers to execute arbitrary code on targeted devices. To exploit this flaw, an attacker needs to send a specially created malicious GIF to targeted Android users. The malware triggers when the user opens the image in WhatsApp.
“The exploit works well for Android 8.1 and 9.0, but does not work for Android 8.0 and below,” Awakened writes. “In the older Android versions, double-free could still be triggered. However, the app just crashes before reaching to the point that we could control the PC register,” the researcher said.
The researcher urged WhatsApp users to update their apps to prevent potential threats. “Facebook acknowledged and patched it officially in WhatsApp version 2.19.244. WhatsApp users, please do update to the latest WhatsApp version (2.19.244 or above) to get rid of this bug,” the researcher added.
This is not the first time for WhatsApp to deal with such vulnerabilities in its software. Recently, Symantec’s Modern OS Security team discovered a flaw affecting WhatsApp accounts for Android devices. The flaw allows malicious attackers to manipulate and expose media files in WhatsApp.
Symantec stated the security flaw, dubbed Media File Jacking, affect WhatsApp for Android by default, if certain features are enabled. The flaw, if exploited, allows the attackers to misuse and manipulate sensitive information like personal photos and videos, corporate documents, invoices, and voice memos.