Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Flaw Allows Hackers to Modify Texts on LG Smartphones

LG has released fixes for two serious vulnerabilities affecting the company’s Android smartphones, including a flaw that can be exploited remotely to delete and modify text messages.

LG has released fixes for two serious vulnerabilities affecting the company’s Android smartphones, including a flaw that can be exploited remotely to delete and modify text messages.

The vulnerabilities were discovered by researchers at security firm Check Point, who disclosed the issues after the vendor developed patches. It’s worth noting that LG is estimated to have a share of nearly 10 percent in the U.S. smartphone market.

Google releases security updates for Android every month, but since each original equipment manufacturer (OEM) makes its own modifications to the operating system, some vulnerabilities are specific to their devices.

According to Check Point researchers, LG smartphones are plagued by two serious flaws. One of them, an issue that can be exploited locally, is related to a privileged LG service named “LGATCMDService.”

Since this service is not protected by a bind permission, any app, regardless of its permissions or origin, can communicate with it. This allows attackers to connect to it and perform various actions, including reading and overwriting the IMEI and MAC address, rebooting the device, disabling a USB connection, wiping the device, and even bricking it completely.

The vulnerability, tracked as CVE-2016-3117, could be highly useful for a piece of ransomware.

“Ransomware would find these features very useful by locking a user out of a device and then disabling the ability to retrieve files by connecting the device with a computer via USB,” said Check Point researchers.

Advertisement. Scroll to continue reading.

The second flaw found by experts, tracked as CVE-2016-2035, is related to LG’s implementation of WAP Push, a protocol used for text messages that contain links to websites.

The protocol, designed for use by mobile carriers, is affected by a SQL injection vulnerability. Since the WAP Push protocol includes features for updating and deleting text messages, a remote attacker can exploit the flaw to delete or modify any message from the targeted smartphone.

“A potential attacker could use this vulnerability to conduct credential theft or to fool a user into installing a malicious app. The attacker could modify a user’s unread SMS messages and add a malicious URL to redirect the user to download a malicious app or to a fake overlay to steal credentials,” explained Check Point researchers.

Related: Vulnerability in Mobile Networks Allows Easy Phone Tracking

Related: LG Patches Severe Smartphone Hijack Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.