LG has fixed a major security vulnerability that could possibly allow attackers to steal data stored on the microSD card in its flagship LG G3 smartphone. As claimed by BugSec and Cynet researchers, the security vulnerability in G3 smartphone enabled an attacker to run arbitrary JavaScript code on the device via LG’s Smart Notice app, which comes preloaded on the G3 device.
Capable of injecting unauthenticated malicious code, the Smart Notice app displays the recent notifications. Moreover, the app also provides predictive recommendations based on the status of the phone, behavior, and location.
Reported to be affected in the handsets of nearly 10 million G3 users, the vulnerability could also lead to authentic and automated phishing attacks in addition to a full denial of service (DOS) on the device.
While releasing a patch for the Smart Notice app immediately upon the issue was reported to the product team, LG advises all G3 users to upgrade to the new version of the app to protect the device from the hands of attackers.
In addition to stealing the data on the microSD card, an attacker can also extract private images and information saved on the card including WhatsApp data. Moreover, the phishing attack has been planned in such a way that users could trust the notification and install the malicious program on the device.
Releasing a video, which is over three minutes, Bugsec Group demonstrates how the snap vulnerability has affected the LG G3 smartphone.
To recall, Lenovo had fixed a vulnerability, which affected its SHAREit app on the devices running Android and Windows few years back.
The app was prone to multiple security vulnerabilities, which enable an attacker to leak information or bypass security. Hence, LG is not the only company to have the vulnerability affecting a built-in app.
To see full details of the vulnerability, read the blog post at http://www.bugsec.com/news/snap-attack-lg or http://www.cynet.com/snapattack1.
