LG has fixed a security flaw that allows hackers to remotely steal sensitive data stored in the SD card of G3 phones. The vulnerability puts as many as 10 million LG G3 units at risk. According to researchers, the vulnerability could lead to phishing attacks as well as a full denial of service (DOS) on the affected devices.
The vulnerability lies in one of LG's native apps called Smart Notice, which comes pre-installed on every G3 unit. The app displays the recent notifications and suggestions, including recommendation for favourite contacts, saving recent caller's contact information and birthday reminders. However, the app fails to validate data presented to users, while allowing hackers to get access to the data, such as contact information, thereby injecting malware into a compromised device.
"Using the vulnerability, an attacker can easily open the user device to data theft attack, extracting private information saved on the SD card including WhatsApp data and private images; put the user in danger of phishing attack by misleading the end-user, and enable the installation of a malicious program on the device," note the researchers from security firm BugSec group and Cynet who first discovered the vulnerability.
"We informed LG, which responded quickly to notice of the vulnerability and we encourage users to immediately upgrade their application to new Smart Notice release, which contains a patch," add the researchers.
The researchers were able to exploit the bug from vulnerable phones through contacts that were tied with a malicious code, reports Ars Technica. Smart Notice then begins to execute a hidden code as it displays callback reminders and birthday notifications.
"With a little tweak, we were able to load external scripts from a remote host and 'refresh' our code every few seconds, giving us the ability to have active command and control over the LG phone and send new payloads," say the researchers.