Researcher have discovered a serious flaw in LG G3 Android smartphones which could lead to data theft, denial of service (DoS) attacks and phishing attacks.
This vulnerability “SNAP” (Smart Notice app) was identified by BugSec researchers Shachar Korot and Liran Segal. The vulnerability was discovered in LG smartphone Notice notification app and allows an attacker to launch arbitrary JavaScript code on newest LG devices, according to threat detection service facilitator Cynet.
“Using the vulnerability, an attacker can easily open the user device to conduct a data theft attack, extracting private information saved on the SD Card including WhatsApp data and private images; put the user in danger of phishing attack by misleading him; and enable the installation of a malicious program on the device”, said researchers in a report.
If you have no idea about the Smart Notice app then check out this video :
This Smart Notice app may seem cool and clear but according to the researchers: “The root cause of the security problem is the fact that Smart Notice does not validate the data presented to the users. Data can be taken from the phone contacts and manipulated”.
To investigate further two researchers : Segal and Korot assembled a security research team and inserted a “malicious” contact (with a malicious script embedded in the contact’s first name) that was triggered by Smart Notice’s Callback reminder and Birthday notification functionalities.This allowed the team to run code from the WebView context to the phone and to achieve active command and control over the device necessary for sending new payloads, according to grahamcluley report .
It was also identified by the team that they could initiate as many attack vectors as possible to start exploiting the vulnerability. Some attacks are users focused such as inserting a contact surreptitiously with malicious code injected into the first name on a device. Or, they could social engineer the phone user into scanning an MMS or a QR code so that the user could be prompted to save the contact with only one click.
When contacted LG regarding this flaw LG responded quickly and issued a new Smart Notice release that contained a patch for this vulnerability.
“LG reacted immediately, which we appreciate. This is a major potential security breach into the personal data of millions of LG users worldwide”, said Idan Cohen- BugSec’s Chief Technology Officer.
Watch the “SNAP” vulnerability video here :