LG Plugs SNAP Vulnerability That May Embed Malicious Codes In 10 Million LG G3 Smartphones

Aaron Mamiit, Tech Times 29 January 2016, 08:01 am

Researchers from cybersecurity firms Cynet and BugSec have discovered a serious security issue in the LG G3 that gives attackers the ability to run arbitrary JavaScript code on the smartphones.

By running such codes, attackers can steal sensitive information, launch phishing attacks to infiltrate protected accounts and implement complete denial of service hacks on the LG G3.

Named the SNAP vulnerability, the bug was first discovered by security researchers Shachar Korot and Liran Segal. It is connected to the Smart Notice application of LG which is preinstalled on all new LG devices.

The Smart Notice app displays different suggestions and notifications, such as reminding to stay in touch with the user's favorite contacts, saving callers' contact information and issuing reminders for friends' birthdays. However, the app is not able to validate any of the data it is presenting to users, which attackers can exploit by manipulating the data to lead to the execution of malicious code.

To demonstrate the bug, the security researchers presented users of vulnerable LG G3 devices with contacts that contain malicious code. When tasks such as birthday notifications and callback reminders were shown by Smart Notice, the app executed the hidden codes.

The proof-of-concept codes the researchers were able to successfully execute through the discovered vulnerability were able to extract data from the smartphone's SD card, open the smartphone's browser to access a remote site and perform a DoS attack which made the LG G3 "go crazy."

The vulnerability was reported by the security firms to LG, which thankfully was able to shortly release a patch to fix the vulnerability in Smart Notice. LG G3 users who see the patch waiting to be installed should do so immediately to protect themselves from the malicious attacks hackers can launch by exploiting the issue.

No other LG smartphones are affected by the SNAP vulnerability.

LG has recently also admitted to a bootloop problem that is affecting the LG G3's successor, the LG G4. Owners of the smartphone have been complaining about the issue for several months, but only recently has the company acknowledged the problem.

According to the company, the bootloop issue stems from loose components within the smartphone, and that it will be providing repairs to all LG G4 units experiencing the problem.