Oh ‘SNAP’: LG has patched a severe security vulnerability in its G3 smartphones, which can be easily exploited for a complete phone takeover.
Using the vulnerability, an attacker can easily perform a range of nefarious activity, including: Data harvesting, because the application has a default permission that allows access to the phone’s external SD card—which holds sensitive data of the device owner; phishing and drive-by attacks, because it’s possible to auto-open the phone browser to any remote site; and DOS via an infinite loop that would soon consume all the phone resources and would essentially put the phone out-of-order until a hard reset.
BugSec and Cynet researchers discovered the flaw, dubbed the SNAP vulnerability, which allows an attacker to run arbitrary JavaScript code on the devices. It’s an issue in one of the LG applications, Smart Notice, which is pre-installed automatically on every new LG device. It shows users their recent notifications via pop-ups for things like callback reminders, birthday notifications, memo reminders and new contact suggestions.
The root cause for the security problem is the fact that Smart Notice does not validate what’s presented to the users, so data can be taken from the phone contacts list and manipulated to create authentic-looking, but forged, “notifications” that have been injected with unauthenticated malicious code. The user just needs to click on one of them to open the door to malicious activity.
The attack can take place in several ways. For instance, the security researchers were able to insert a new “malicious” contact into a contact list (with a script embedded) that was triggered by the callback reminder and by the birthday notification.
“With a little tweak, we were able to load external scripts from a remote host and ‘refresh’ our code every few seconds, giving us the ability to have active command and control over the LG phone and send new payloads,” they said.
To avoid compromise, users should immediately upgrade to the latest Smart Notice release, which contains a patch.
Photo © 360b/Shutterstock.com