Skip to main content

WhatsApp Flaw Lets Hackers See Your Messages: What to Do Now

WhatsApp on an Android phone.
(Image credit: Alex Ruhl/Shutterstock)

Make sure your WhatsApp is updated, Android users, because a flaw in older versions could let hackers see your messages and chats just by making you open a booby-trapped image.

WhatsApp versions 2.19.230 and earlier could be exploited if the user previews a malicious GIF in the app, a Singaporean hacker calling himself or herself "Awakened" disclosed on GitHub yesterday (Oct. 2). The flaw is fully patched in WhatsApp version 2.19.244, released Sept. 18, as well as later versions.

To check the version number of your WhatsApp build, open the app, tap the three dots at the top right of the screen and select Settings. Then tap Help, followed by App Info. 

MORE: Best Android Antivirus Apps

The WhatsApp attack works on Android 8.1 Oreo and Android 9 Pie, but not on Android 8 Oreo and earlier, Awakened said. On those earlier builds, WhatsApp will just crash. The researcher apparently did not test the attack on Android 10, aka Android Q, but we should assume it does work there, too.

The problem is a double-free memory call created by WhatsApp's interaction with an open-source Android library. We'll skip the technical details, but suffice it to say: That's not good.

There are two attack vectors: First, an already-installed malicious app (of which there are plenty in the Android ecosystem) could generate a malicious GIF and wait for the user to view it in the WhatsApp Gallery, resulting in data leakage. Second, a malicious GIF could arrive as a WhatsApp attachment and trigger the exploit when the victim views the GIF in the Gallery. 

Awakened notified Facebook, WhatsApp's owner, of the flaw several weeks ago, and Facebook in turn notified the developer of the Android library in question. Both flaws have since been fixed.

There is no evidence that this attack has yet been carried out by anyone other than Awakened, but now that the secret's out, someone will try.