14 DAY TRIAL // LG has issued a security update to patch a phone hijacking issue in its G3 flagship series that affected the Smart Notice application, pre-installed on all new devices.
Security researchers from BugSec and Cynet, Liran Segal and Shachar Korot, discovered that attackers could inject and then execute malicious JavaScript code via Smart Notice.
The app, launched by LG in 2014, works by showing various notifications on the user's homescreen. These notifications are displayed on certain events, such as for a memo reminder, a callback reminder, a new contact suggestion, favorite contact notifications, and for birthday notifications.
Malicious code is hidden in contact list entries
In their experiments, the researchers created a contact entry that contained malicious code that was added to the contact entry's fields responsible for triggering callback and birthday notifications.
The exploit this security hole, an attacker does not necessarily need the user to approve a new contact download. Researchers have experimented with infection vectors that uploaded malicious contacts on the victim's phone without requiring any interaction. They explained that this could be done via QR codes, MMS messages, or WhatsApp contacts.
Once a user is infected with the rogue contact, regardless of method, whenever the time comes for the Smart Notice app to show the reminder, the malicious code is executed as well.
The problem resides in the fact that LG developers forgot to add validation rules for the Smart Notice app to prevent situations where malicious code acquired from contact lists would be executed on the phone.
Total device compromise is possible
BugSec and Cynet researchers claimed that, during their tests, they managed to take complete control of the device. In their experiment, also presented in the video below, they first established a connection to the C&C server, from where they instructed the phone to carry out other commands.
Researchers were able to launch phishing attacks, steal data from the device, and even install other applications that acted as backdoors.
Users who would like to avoid having their phone compromised should update to the latest Smart Notice version, which LG has released today.
