LG’s 2014 flagship G3 smartphone was recently reported to be affected by a vulnerability that could possibly allow attackers to steal data stored on the microSD card. The South Korean company however has fixed the vulnerability that could have affected around 10 million LG G3 users.
BugSec and Cynet researchers claimed that the “severe security vulnerability” in LG G3 smartphone allowed an attacker to run arbitrary JavaScript code on the device. The vulnerability could also easily lead to authentic phishing attacks and to a full denial of service (DOS) on the device.
According to the security researchers Liran Segal and Shachar Korot, the ‘Snap’ vulnerability was a flaw in LG’s Smart Notice app, which is preloaded on LG devices. “Smart Notice displays to users the recent notifications that can be forged to inject unauthenticated malicious code,” noted the researchers.
For those unaware, LG’s Smart Notice built-in app offers predictive recommendations based on the status of the phone, behaviour, and location.
LG was informed about the vulnerability and the company released an update for its Smart Notice app which brought a patch for the issue. The researchers suggest all the G3 users to upgrade to a new version of the vulnerable app.
Detailing how the vulnerability could be used, researchers said, “Using the vulnerability, an attacker can easily open the user device to data theft attack, extracting private information saved on the SD Card including WhatsApp data and private images; put the user in danger of a phishing attack by easily misleading him; and enable the installation of a malicious program on the device.” A video showing how the issue affected the LG G3 smartphone has also been shot and can be seen below.
LG is not the only brand which has lately been reported to be affected by a vulnerability affecting a built-in app. Recently, Lenovo fixed vulnerability affecting its SHAREit app that came bundled with devices running Android as well as Windows. The SHAREit app on both Android and Windows was prone to multiple vulnerabilities which could allow an attacker to leak information or bypass security.
[“source-gadgets.ndtv”]