WhatsApp recently identified two new security bugs in the application for Android that has been exploited and executes malicious code remotely on the infected device that also capable to compromise encrypted user communications.

The vulnerabilities discovered are aimed at the devices running an Android version that deals with Android 9 which is also named a man-in-disk attack, this signifies and makes it possible for all the adversaries while compromising and manipulating a certain set of data that is exchanged between the external storage.

How these Attack Executed? 

However, the researcher said that these two WhatsApp vulnerabilities are made the attacker’s job easier and permit them to perform the remote attack while collecting the data that includes TLS cryptographic material for TLS 1.3 and TLS 1.2 sessions.

The TLS will execute the man-in-the-middle attack and initiate the compromise that leaks the WhatsApp communications and execute the remote code on the victim’s device that extracts the Noise protocol keys which are used for end-to-end encryption while communicating with the users.

The flaw identified as CVE-2021-24027 and supports the Chrome for content providers in the Android as the “content://”URL scheme” which works the same as the original policy that overlaps the browser identified as CVE-2020-6516. The attackers will send a specially crafted HTML file to the victims through WhatsApp. As the user opened the file into the browser then it executes the code that contained the HTML file.yo

This code can be used to access the resource that is stored in the unencrypted external storage data that consist of WhatsApp and found the TLS session key details in the sub-directory, while others also see the result to expose the confidential information of the application that was read and written from the storage.

The attackers will force the victim while opening the HTML document attachment and then WhatsApp will mitigate the attachment into Google Chrome. Therefore, the attackers are capable to steal the stored TLS session key.

Whereas, the arming keys and the attackers can also start the man-in-the-middle attack to gain the remote code execution or extra-filtrate the Noise protocol key pairs that were gathered by the application while diagnostic the purposes by triggering the memory error and remotely on the victim’s system.

As the error is executed the WhatsApp debugging mechanism will kick all the uploaded data and the encoded keys that pairs along with the applications logs and the system information for the other memory constant that was dedicated to the crash log server. In the process of debugging is crafted as it will catch all the fatal errors in the applications and the idea behind this Mitm exploit is programmatic-ally cause an exception and this will force that data collection to set off the upload while intercepting the connection and disclose all the confidential information that was intended to send over the What’s App’s internal infrastructure.

However, to defend against such attacks Google introduced a feature named scoped storage that present in Android 10, and each application is stored in an isolated area on the device that is in a way where no other type of application is installed and can directly be accessible with the data saved by other application in the device.

Summering Up

The cybersecurity firm has no idea where the attackers are been exploited the attacks and in the past, the vulnerability was identified in WhatsApp and been abused while injecting the spyware onto the targeted devices that snoop the human right and journalists activists.

WhatsApp users are also recommended to update their versions 2.21.4.18 while revoking the risk of associated flaws.