LG Patches Severe Smartphone Hijack Vulnerability
LG today released a security update for some of its latest smartphones to resolve a severe vulnerability found in the Smart Notice application.
Introduced by LG in 2014, along with the flagship LG G3, the Smart Notice application comes pre-loaded on all new LG smartphones, and was designed to display notifications to users. BugSec security researchers Liran Segal and Shachar Korot discovered that the notifications displayed by Smart Notice can be modified to inject unauthenticated arbitrary JavaScript code on the affected devices.
Called SNAP, the vulnerability can result in the theft of sensitive user data, a team of BugSec and Cynet researchers determined. Furthermore, with Smart Notice loaded on all new LG handsets, they suggest that the flaw potentially affects millions of users globally.
By exploiting the vulnerability, attackers can extract private user information from the device, such as what’s stored on the SD card, including WhatsApp data and private images. Moreover, successful exploitation renders users vulnerable to phishing attacks and can result in the installation of mobile malware the affected devices.
Smart Notice was designed to present users with a series of notifications in the form of cards, to suggest they keep in touch with favorite contacts, to suggest saving a caller number, or to remind users about contact birthdays or to callback a contact after declining the call.
The issue is that the Smart Notice application does not validate the data presented to users, which means that data can be taken from the phone contacts and manipulated. The team of researchers also discovered that functionality issues in the application make it possible to launch attacks using different methods.
The security researchers managed to insert a new “malicious” contact that had a script embedded to the contacts list and have it triggered by the “Callback Reminder” and “Birthday notification.” Smart Notice uses a “WebView”-based application and researchers said they were able to run code from the “WebView” context to the phone.
By loading external scripts from a remote host and refreshing the code every few seconds, researchers gained control over the LG phone and were able to send additional payloads. The flaw allowed the researchers to access a phone’s external SD Card, auto open the browser to a remote site (for phishing and/or drive-by downloads), and even launch a denial of service (DoS) attack.
The researchers also found that attackers could use several vectors to compromise a device by injecting the malicious contact without the phone user noticing it.
The researchers have contacted LG to report the vulnerability and the company was quick to acknowledge the issue and deliver a patch. Owners of LG devices that have the Smart Notice loaded on them are advised to update to the latest version of the application as soon as possible to stay protected.
source: securityweek.com