LG closes data-theft hole affecting millions of G3 smartphones

LG is closing a security hole that makes it possible for attackers to steal chat histories and other sensitive data stored on an estimated 10 million G3 phones.

The vulnerability resides in an LG app called Smart Notice. It comes preinstalled on new LG G3 devices and displays a variety of notifications and suggestions, including recommendations to stay in touch with favorite contacts, saving recent callers' contact information, and birthday reminders. The app fails to validate data presented to users, making it possible for attackers to manipulate data such as contact information so that it executes malicious code on affected handsets.

"Using the vulnerability, an attacker can easily open the user device to data theft attack, extracting private information saved on the SD Card including WhatsApp data and private images; put the user in danger of phishing attack by misleading the end-user; and enable the installation of a malicious program on the device," researchers wrote in a blog post published Thursday. "We informed LG, which responded quickly to notice of the vulnerability and we encourage users to immediately upgrade their application to new Smart Notice release, which contains a patch."

The researchers said they were able to exploit the bug by presenting vulnerable phones with contacts that were laced with malicious code. When events such as callback reminders or birthday notifications were displayed, Smart Notice would then execute the hidden payloads.

"With a little tweak, we were able to load external scripts from a remote host and 'refresh' our code every few seconds, giving us the ability to have active command and control over the LG phone and send new payloads," the researchers reported. They continued:

Since Smart Notice uses a “WebView”-based application, a programmer could extend the functionality of the “JavaScript” to run server side code, allowing the attacker a bigger set of options. For this, we examined the client side application code, located in the following path: root/system/etc/mrg_default_forms/ConciergeBoard/.

We found two possible scenarios:
The first scenario is to use the Callback function (ConciergeBoard\card_forms\reconnect_noti):

The second scenario is to use the Birthday function (ConciergeBoard\card_forms\birthday_noti_contact):

When a callback notification is set, the “@string” parameter displays the contact name without any validation.

Further investigation revealed to us where the update process is found: (ConciergeBoard\default_view\container)

The update uses an internal function ‘doAction’ that is in fact a JavaScript interface ability published to the WebView. We assume there are many more functions that we could use to extend our attack. We extracted the LGConciergeBoard Apk (Android Package Kit) in order to detect any other interfaces to use, and to learn how to access them.

We found out that the “doAction” function is used as a JavaScript Interface which can communicate with “IurlActionHandler,” “setDbActionHandler,” “cardActionHandler” etc., obviously providing many sets of payload vectors to attackers.

The researchers developed several proof-of-concept payloads, including one that harvests data from the the SD card, another that opens the browser to any remote site, and a third that performs a denial-of-service attack that "could make the [user's] phone go crazy."

The vulnerability was discovered and privately reported by researchers from security firms BugSec Group and Cynet. Now that LG has issued a patch, people with vulnerable phones should install it as soon as possible.