Security Experts:

Connect with us

Hi, what are you looking for?



LG Patches Severe Smartphone Hijack Vulnerability

LG today released a security update for some of its latest smartphones to resolve a severe vulnerability found in the Smart Notice application.

LG today released a security update for some of its latest smartphones to resolve a severe vulnerability found in the Smart Notice application.

Introduced by LG in 2014, along with the flagship LG G3, the Smart Notice application comes pre-loaded on all new LG smartphones, and was designed to display notifications to users. BugSec security researchers Liran Segal and Shachar Korot discovered that the notifications displayed by Smart Notice can be modified to inject unauthenticated arbitrary JavaScript code on the affected devices.

Called SNAP, the vulnerability can result in the theft of sensitive user data, a team of BugSec and Cynet researchers determined. Furthermore, with Smart Notice loaded on all new LG handsets, they suggest that the flaw potentially affects millions of users globally.

By exploiting the vulnerability, attackers can extract private user information from the device, such as what’s stored on the SD card, including WhatsApp data and private images. Moreover, successful exploitation renders users vulnerable to phishing attacks and can result in the installation of mobile malware the affected devices.

Smart Notice was designed to present users with a series of notifications in the form of cards, to suggest they keep in touch with favorite contacts, to suggest saving a caller number, or to remind users about contact birthdays or to callback a contact after declining the call.

The issue is that the Smart Notice application does not validate the data presented to users, which means that data can be taken from the phone contacts and manipulated. The team of researchers also discovered that functionality issues in the application make it possible to launch attacks using different methods.

The security researchers managed to insert a new “malicious” contact that had a script embedded to the contacts list and have it triggered by the “Callback Reminder” and “Birthday notification.” Smart Notice uses a “WebView”-based application and researchers said they were able to run code from the “WebView” context to the phone.

By loading external scripts from a remote host and refreshing the code every few seconds, researchers gained control over the LG phone and were able to send additional payloads. The flaw allowed the researchers to access a phone’s external SD Card, auto open the browser to a remote site (for phishing and/or drive-by downloads), and even launch a denial of service (DoS) attack.

The researchers also found that attackers could use several vectors to compromise a device by injecting the malicious contact without the phone user noticing it.

The researchers have contacted LG to report the vulnerability and the company was quick to acknowledge the issue and deliver a patch. Owners of LG devices that have the Smart Notice loaded on them are advised to update to the latest version of the application as soon as possible to stay protected.

Vulnerabilities in mobile devices are nothing out of the ordinary, especially when it comes to Android, as Google patches flaws in the OS on a monthly basis. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.