Snap vulnerability in LG G3 Android phones leave users at risk of data theft

Users urged to apply patch to Android vulnerability as soon as possible.

Snap vulnerability in LG G3 Android phones leave users at risk of data theft
Snap vulnerability in LG G3 Android phones leave users at risk of data theft

Researcher have discovered a serious flaw in LG G3 Android smartphones that leaves device open to data theft.

Dubbed Snap, the vulnerability could allow a hacker to run arbitrary JavaScript code on the vulnerable LG devices, according to security researchers from BugSec and Cynet. The bug can be found in one of the LG applications, Smart Notice, which is pre-installed automatically on every new LG device. Smart Notice displays to users recent notifications and these can be forged to inject unauthenticated malicious code.

“Using the vulnerability, an attacker can easily open the user device to conduct a data theft attack, extracting private information saved on the SD Card including WhatsApp data and private images; put the user in danger of phishing attack by misleading him; and enable the installation of a malicious program on the device,” said researchers in a report.

The researchers said the root cause for the security problem is the fact that Smart Notice does not validate the data presented to the users. “Data can be taken from the phone contacts and manipulated. The attack can take place in several ways due to functionality issues of the Smart Notice application,” the researchers added.

The BugSec researchers said they had notified LG about the problem and in response, LG had patched up the flaw as an update to the application.

SCMagazineUK.com has approached LG for a comment on the issue but at the time of publication we had not received a reply.

David Kennerley, senior manager for threat research at Webroot, told SCMagazineUK.com that this is a “pretty scary vulnerability”, and one that gives hackers relatively easy access to personal data stored on the device.  

“And allows for further attacks either by using the stolen data or by downloading further payloads to the compromised device.  With a small amount of extra effort, it could easily be possible infiltrate the corporate network from this beachhead,” he said.

“The flaw is believed to affect an estimated 10 million G3 phones.  Whereas LG has acted quickly to close the security hole, the application upgrade is still reliant on the phone owner downloading and installing the fix, which as we've seen previously, isn't always a given.”

He said that if data is stolen via this method it's important that all employees in the organisation are made aware. 

“This can help mitigate the possibility of future social engineering attacks, like spear-phishing.  They need to discover the scope of the data breach as soon as possible, always work on the premise - that it's the worst possible scenario – leave no stone unturned,” said Kennerley.

Mark James, security specialist at Eset, told SCMagazineUK.com that even with good security software installed, organisations would still be at risk until a patch was installed.

“Currently you need to install this yourself, of course limiting the amount of data that is stored on these devices in the first place would mitigate any damage done even it were to be exploited,” he said.