The flaw in Facebook Messenger App allows running persistent malware

Messenger version for Windows had a vulnerability that could allow attackers to hijack a call and inject malware

Facebook application got patched after the critical bug discovery

Facebook application got patched after the critical bug discovery

Researchers reveal a critical bug in the Facebook Messenger application that allows the long-term persistent malware attacks.[1] Cybersecurity firm Reason Security[2] spotted the serious flaw in the Messenger for Windows version and shared details of the bug and potential issues. The bug is specific for the Windows desktop version of the app that is available on Microsoft Store.

The vulnerable app triggers the call and loads the Powershell path that executes malware. The flaw was discovered in a version 460.16 of Messenger. It was reported that the attacker leveraging the flawed app can potentially execute malicious files present on the compromised system and attempt to gain extended access. This is how persistent malware can be injected and triggered on any system.

Apparently Facebook was informed on April about this, and social media company released a patch for the flaw, so the updated version of Facebook Messenger for Windows users available on the Microsoft Store is fixed.[3] You can upgrade to version 480.5 to ensure that your Facebook Messenger App is not vulnerable.

Attackers could hijack calls and execute the malware

The bug existed because a particular version of the application executed an unusual code that allowed the attacker to gain persistent access to the system of the targeted machine. This is how hackers can hijack the call via Messenger and run their malware. The particular Powershell.exe from the Python27 directory launch was the trigger that attracted researchers’ attention the strange call:

When we saw that, we knew we found something since the location of “Python27” is in the “c:\\python27” directory, which is a low-integrity location. This means that every malicious program can access the path without any admin privileges.

The targeted directory is in a low-integrity location, so malicious programs can get injected without any permission or administrator rights. The researcher team has launched a test for the flaw, so the severe shell was disguised and deployed into the Python directory. The Messenger app call was successfully triggered, and the shell got executed. This action proved that malicious actors could easily exploit the flaw and perform attacks. 

More complex vulnerability to exploit than the typical attacker methods

More conventionally hackers use persistence methods that focus on modifying registry, injecting scheduled tasks, services, and maintaining active access to the system. This particular type of flaw is more complex because hackers can either detect if the app is making unwanted calls or go deep into the binary code of the application and find the function to make a call.

There are no particular indications that this vulnerability was exploited, but this is a high-risk bug.[4] Hackers can use the flaw and use the opportunity to run the maliciosu activities for extended periods. This is persistence issues, and malicious actors can inject ransomware, exfiltrate data, or breach information. 

These persistent methods most often get used to targeting particular institutions, governments, companies. Specialized hacks affect financial institutions, offices, businesses in various industries. Such flaws in messaging apps are more worrying because during such time like pandemic[5] people turn to these applications and use them more heavily than before.