LG plugs gap exposing info of millions of G3 users

LG has patched a security vulnerability that had the potential to allow attackers to steal personal information from an estimated 10 million G3 smartphones users worldwide.

The vulnerability was discovered in Smart Notice, which is one of LG's pre-installed apps on every G3 handset. Smart Notice displays a selection of notifications, suggestions and reminders to user, similar to Android's own Notification Center.

Security researchers Liran Segal and Shachar Korot, who found the vulnerability, said an attacker could easily steal sensitive data from the device's SD card, including WhatsApp data and images.

But as well as removing data, cunning attackers could also inject their own malicious code into the unsecured app to mislead the user into phishing scams and drive-by attacks', the latter being a program that is automatically downloaded to the user's device without their consent or knowledge.

"We informed LG, which responded quickly to notice of the vulnerability and we encourage users to immediately upgrade their application to new Smart Notice release, which contains a patch," wrote the researchers in a blog post detailing their findings.

SNAP', as the researchers have dubbed it, exposes G3 smartphones to attack by running arbitrary JavaScript code on the devices, which can lead to the vulnerabilities mentioned, as well as others.

The researchers, who represent security firms Cynet and BugSec Group, uncovered the bug by introducing vulnerable phones to contacts that were riddled with malicious code. When notifications, such as callback prompts or birthday reminders were displayed, Smart Notice would then trigger the hidden payloads.

"With a little tweak, we were able to load external scripts from a remote host and refresh' our code every few seconds, giving us the ability to have active command and control over the LG phone and send new payloads," the researchers added.

In addition, the researchers also introduced proof-of-concept payloads to the devices to probe how severe the vulnerability was. In doing so, they were able to harvest data from the SD card, open the browser to any remote site and perform a denial-of-service attack that could cause the user's "phone to go crazy".

LG has now issued a patch, and recommends that people with vulnerable handset install the update as soon as possible.

IT Pro contacted LG for comment but had not received a response at the time of publication.