Millions of LG G3 smartphone users are at risk of losing critical personal data due to a severe security weakness dubbed as the ‘SNAP’ vulnerability.
This vulnerability is so grave that it can lead to data theft, denial of service (DoS) attacks and phishing attacks on LG G3 smartphones.
According to the blog post from threat detection service facilitator Cynet, the vulnerability was identified by BugSec researchers Shachar Korot and Liran Segal. The vulnerability was discovered in LG smartphone Notice notification app and allows an attacker to launch arbitrary JavaScript code on newest LG devices.
You must not have heard about Smart Notice app before. So, check out the promotional video produced by LG for this particular app. The app appears harmless and pretty neat.. no!
Now read what security experts have to say about this app:
“The root cause of the security problem is the fact that Smart Notice does not validate the data presented to the users. Data can be taken from the phone contacts and manipulated.”
Specifically, the above-mentioned researcher duo identified that various Smart Notice functionalities such as the New Contact suggestion, Birthday notification, Callback reminder and Memo reminder can be exploited for executing an attack successfully using “Snap.”
Segal and Korot dug deeper into this matter and created a security research team to conduct different tests. The team inserted a “malicious” contact, which has malicious script embedded in the first name of the contact, and this was triggered by Smart Notice’s Callback and Birthday reminder functions.
This method let the team execute the WebView content code to the phone and acquire active command and control over the phone to send new payloads. Various easy-to-use payloads were created by the researchers over the course of their exploitation spree. This included harvesting data from the SD card present in the phone via an “open_url” function to activate any malicious third-party website, a normal web page or phishing page and create an infinite loop to place the phone out of commission effectively till the victim conducts a hard-reset.
It was also identified by the team that they could initiate as many attack vectors as possible to start exploiting the vulnerability. Some attacks are users focused such as inserting a contact surreptitiously with malicious code injected into the first name on a device. Or, they could social engineer the phone user into scanning an MMS or a QR code so that the user could be prompted to save the contact with only one click.
You may watch the ‘Snap’ vulnerability video on YouTube here:
When contacted by the team of researchers, LG responded quickly and issued a new Smart Notice release that contained a patch for this vulnerability.
Idan Cohen, BugSec’s Chief Technology Officer, thanked LG for such quick response in a press release, in which he stated:
“LG reacted immediately, which we appreciate. This is a major potential security breach into the personal data of millions of LG users worldwide.”
Considering the graveness of the ‘Snap’ vulnerability, it is important that all users update their copy of the LG Smart Notice app at the earliest opportunity. Meanwhile, vendors can avoid ‘Snap’ like weaknesses by switching to input validation.