LG on Monday released a security update fixing a high-severity remote code execution vulnerability found in the default keyboards of all its mainstream smartphone models.
Remote actors can also exploit the bug to compromise users' privacy and authentication details by turning the "LG IME" keyboard into a keylogging tool, according to Check Point Software Technologies research engineer Slava Makkaveev, whom LG has credited with discovering the issue.
In a 8 May company blog post, Makkaveev explains that vulnerability is technically two bugs in one -- a language file download that relies on an insecure HTTP connection, and a validation flaw in LG's file system.
The first bug presents itself when an LG user downloads a new language for the device's handwriting mode, or even an update to a previously installed language file. This downloading process fails to employ the secure HTTPS protocol, leaving it vulnerable to a potential man-in-the-middle (MITM) proxy attack in which the metadata file "files.txt" is either corrupted with injected code or overwritten entirely. At this point, the now-malicious version of files.txt can instruct the device to download additional malicious files from an adversary-controlled URL.
Executing these files is where the second bug comes into play: The validation flaw bug allows the same MITM attackers to use a path traversal mechanism to write the downloaded files to whatever disk location they please within the LG keyboard package sandbox.
According to Makkaveev, as long as the downloaded file have the extension .so, the LG's keyboard application is programmed to grant it permission to execute. "So, if the metadata file is extended with a .so file, entry to the rogue lib file will be marked on the disk as executable," states the blog post, whose content was explained to SC Media in greater detail by Check Point researcher Jonathan Shimonovich.
In order to get the keyboard application to actually load and run the rogue file, the attackers can next designate the file as “input method extension library” within the keyboard configuration file /data/data/com.lge.ime/files/Engine.properties.
"By altering the files.txt metadata file, the Engine.properties file can also be overwritten by a fake one," the blog post continues. "LG's keyboard loads the libs [libraries] indicated in Engine.properties configuration file on the application's startup and the rogue lib we've injected inside the aforementioned file would be loaded as soon as the keyboard process restarts. Once we manage to inject the rouge lib inside Engine.properties, all we need to do is wait for the application to restart and load the library."
LG notes that its devices running on Android versions Android devices with OS 4.4, 5.0, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 and 8.0 are affected.