WhatsApp developers for Android fixed a dangerous bug in their application with the release of version 2.19.244. It turns out that using a regular GIF file on a vulnerable device, it was possible to remotely execute arbitrary code and gain access to sensitive user data.
The vulnerability was discovered by an independent IB expert from Vietnam, known under the pseudonym Awakened. The bug belongs to the double-free class and has the identifier CVE CVE-2019-11932. The problem allowed remote code execution on devices running Android 8.1 and 9.0, and in previous versions of the mobile OS, the bug could only be used to provoke a denial of service (DoS).
The root of the problem lay in the open source library libpl_droidsonroids_gif.so, which WhatsApp uses to create a preview for GIF files. Currently, the error has already been fixed in the library.
Exploiting a bug involves sending a malicious GIF file to the victim. The vulnerability "works" automatically when the target user opens the WhatsApp gallery (for example, if he wants to send an image to one of his contacts). However, exploiting a vulnerability is not as simple as it might seem. So, the attacker must be in the victim’s contact list so that the malicious GIF file is automatically downloaded to the target device. In addition, remote code execution can only be achieved if the application of CVE-2019-11932 is combined with another vulnerability or malware already present on the target device.
All technical details as well as PoC exploit can be found on blog pages Awakened.