Persistence Threat in the Facebook Messenger Desktop App

Spending time on lockdown and following the social distancing rules has affected our lives a lot, and one thing that transformed during this time is our communication.

The use of desktop instant messengers, for one, skyrocketed since the pandemic kicked in. 

Facebook has revealed a 70% increase in time spent on its apps since the COVID-19 situation, proving that users are relying heavily on Messenger to perform their daily tasks. Desktop-based instant messengers are especially helpful since they help users keep all their work processes in one place. 

Unfortunately, convenience and security don’t always go hand-in-hand, and there’s another example of why this is true.

Critical Flaw in Facebook Messenger Desktop App

The Reason Labs researchers have recently found a vulnerability in the Facebook Messenger desktop app version 460.16 for Windows. 

The vulnerability allowed the attackers to gain persistence and get extended access in the system, as the app could be leveraged to load a Windows Powershell from C:\python27 directory. It is a low-integrity location that allows the malware to access the path without admin privileges.

Usually, that path does not exist in most Windows installations and is created when installing Python 2.7. A lot of programs load non-existent resources because they don’t have the absolute path for the resource and have to traverse the search order. Attackers often find a binary causing unwanted calls or non-existent DLL that would allow the call to be hijacked and forced to run malicious files. 

“The app executes code that shouldn’t be executed, resulting in a vulnerability that allows attackers to hijack a call for a resource within the Messenger code in order to run their malware.” ‒ highlights Reason Labs’ report.

Persistence threat accommodated by this flaw is critically important for the attackers, since it keeps a connection with a remote workstation, allowing malware to communicate, run, and stay hidden. 

All Facebook Messenger desktop app users should update to version 480.5 plus learn more about the shortcomings in desktop apps of messengers such as Telegram, Viber, and Signal. 

Desktop Apps Give “Another Door” to the Attackers

To better explain threats associated with the extended threat surface, allow us to bring up a story unrelated to instant messengers.

Back in February of 2011, two American anti-drug agents were passing a red-zone roadside in Mexico in their heavily armored Chevy Suburban. The car was designed to nullify the threats of gunfire, grenades, even land mines. 

It also had a consumer-friendly automatic setting that opened the driver’s door when the car was put in park. 

The doors popped wide open. The agent behind the wheel was killed immediately, another agent was shot. The entire story is highly disturbing, but it showcases how convenience can be a faulty friend, and even lead to lethal consequences.

While critical vulnerabilities do not come close to the outcome of that gory story, we still have to remember that such app flaws carry significant risk, allowing bad actors to perform other sophisticated attacks, exfiltrate and breach sensitive data, put the ransomware on the machine, etc. 

Recently we have also covered how the more obscure apps can turn malicious and attack others using your resources.

Please remember that in the interconnected world we’re living today, mobile security is directly linked up to computer security. To mitigate the potential threats, please find the time to update software regularly and keep their amount to a viable minimum.If you have liked this blog post, be sure to subscribe down below and follow StealthTalk on Twitter.