Security researchers from Trend Micro have discovered thousands of Android apps that are vulnerable to CVE-2019-11932, a vulnerability that Facebook had previously fixed in the WhatsApp messenger.
Recall that last month, a security researcher under the pseudonym Awakened discovered a vulnerability in WhatsApp that could allow attackers to gain access to files and messages of a victim using a malicious GIF image.The vulnerability is contained in the open source library libpl_droidsonroids_gif.so, which is part of the android-gif-drawable package and is used by many Android applications to process GIF files. Facebook has fixed the WhatsApp vulnerability with the release of version 2.19.244, but many other applications still use the vulnerable version of this library.
Our analysis of this threat led us to the question: how many applications still had this vulnerable library? As it turned out, quite a few. On Google Play alone, we found more than 3,000 applications with this vulnerability. We also found many other similar apps hosted on third-party app stores such as 1mobile, 9Apps, 91 market, APKPure, Aptoide, 360 Market, PP Assistant, QQ Market, and Xiaomi Market”, — report Trend Micro specialists.
Exploiting the vulnerability in WhatsApp is possible by sending a malicious GIF file to the user, which will automatically cause an error as soon as the application generates a preview of the file in the application gallery. For exploitation, it is also necessary for the attacker to be in the victim’s contact list, otherwise the malicious GIF file will not be automatically downloaded.
Read also: Hackers can change media files transmitted via WhatsApp and Telegram: how to avoid manipulation?
A criminal can elevate privileges and access files on the victim’s device, including WhatsApp messages, and create a remote shell in the context of WhatsApp. However, to achieve remote code execution, an attacker will need to use another vulnerability or malicious application that is already installed on the device.
Specialists fixed vulnerability in the libpl_droidsonroids_gif.so library last month, but many developers have not yet updated their packages.
Solution
Even though CVE-2019-11932 has been disclosed and patched, there are still a large number of applications that contain the vulnerability, which exposes many Android users to risk. If you accidentally install a vulnerable application, you will be at risk, as an attacker may be able to exploit this vulnerability to take control of this device. We urge developers to upgrade libpl_droidsonroids_gif.so if they are using it to reduce the risk to end users.