The first stage of this process is exploiting a vulnerability in the Chrome browser, bypassing the Same-Origin-Policy applicable to local content. The attack itself would involve the victim opening a specially crafted HTML document in Chrome, which exfiltrates certain local files from the internal storage of an Android device.
The next step of the attacker’s exploitation process is to exfiltrate files containing TLS cryptographic material used to secure the communication between the WhatsApp client and backend servers. The vulnerability here is that WhatsApp stores TLS session keys as files in the internal storage of the device that is accessible by other applications or components. Therefore, this storage is not fully private to the WhatsApp application itself.
Once these cryptographic keys are exfiltrated, an attacker is able to perform a Man-in-the-Middle attack and decrypt or modify the communication between WhatsApp and the backend servers. This part of the attack requires the capability of re-routing network traffic to pass through an attacker-controlled node. Even though this part of the attack is left out of scope in the article, it is still realistic, depending on the scenario and network topology, for victim traffic to be re-routed.
Having Man-in-the-Middle capabilities, an attacker then modifies in-flight a ZIP archive downloaded by the WhatsApp application containing doodles and various emojis. The modified ZIP file takes advantage of two other vulnerabilities in the WhatsApp application, allowing an attacker to overwrite files on the device containing code executed by WhatsApp. The end result is that arbitrary code is executed with the privileges of the WhatsApp application itself, thus enabling an attacker to alter its behavior completely or access message contents.
Besides the complex interaction of components, notice that no memory corruption vulnerability is exploited in this attack. The full chain is built upon individual vulnerabilities that expose private artifacts (cryptographic keys, code) to an attacker. Addressing such issues requires a good understanding of how the various components of a system interact with one another. This exercise is far from trivial, requiring combined knowledge of both the Android platform, threat modeling, security architecture, and code reviews.
Contributed by Alexandru Geana, Head of Innovation, Riscure. If you have any questions, contact us at firstname.lastname@example.org.
Check out other posts of Riscure Security Highlights.