Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

LG Patches Severe Smartphone Hijack Vulnerability

LG today released a security update for some of its latest smartphones to resolve a severe vulnerability found in the Smart Notice application.

LG today released a security update for some of its latest smartphones to resolve a severe vulnerability found in the Smart Notice application.

Introduced by LG in 2014, along with the flagship LG G3, the Smart Notice application comes pre-loaded on all new LG smartphones, and was designed to display notifications to users. BugSec security researchers Liran Segal and Shachar Korot discovered that the notifications displayed by Smart Notice can be modified to inject unauthenticated arbitrary JavaScript code on the affected devices.

Called SNAP, the vulnerability can result in the theft of sensitive user data, a team of BugSec and Cynet researchers determined. Furthermore, with Smart Notice loaded on all new LG handsets, they suggest that the flaw potentially affects millions of users globally.

By exploiting the vulnerability, attackers can extract private user information from the device, such as what’s stored on the SD card, including WhatsApp data and private images. Moreover, successful exploitation renders users vulnerable to phishing attacks and can result in the installation of mobile malware the affected devices.

Smart Notice was designed to present users with a series of notifications in the form of cards, to suggest they keep in touch with favorite contacts, to suggest saving a caller number, or to remind users about contact birthdays or to callback a contact after declining the call.

The issue is that the Smart Notice application does not validate the data presented to users, which means that data can be taken from the phone contacts and manipulated. The team of researchers also discovered that functionality issues in the application make it possible to launch attacks using different methods.

The security researchers managed to insert a new “malicious” contact that had a script embedded to the contacts list and have it triggered by the “Callback Reminder” and “Birthday notification.” Smart Notice uses a “WebView”-based application and researchers said they were able to run code from the “WebView” context to the phone.

By loading external scripts from a remote host and refreshing the code every few seconds, researchers gained control over the LG phone and were able to send additional payloads. The flaw allowed the researchers to access a phone’s external SD Card, auto open the browser to a remote site (for phishing and/or drive-by downloads), and even launch a denial of service (DoS) attack.

Advertisement. Scroll to continue reading.

The researchers also found that attackers could use several vectors to compromise a device by injecting the malicious contact without the phone user noticing it.

The researchers have contacted LG to report the vulnerability and the company was quick to acknowledge the issue and deliver a patch. Owners of LG devices that have the Smart Notice loaded on them are advised to update to the latest version of the application as soon as possible to stay protected.

Vulnerabilities in mobile devices are nothing out of the ordinary, especially when it comes to Android, as Google patches flaws in the OS on a monthly basis. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.