A group of researchers are encouraging any smartphone users who own an LG G3 to upgrade their devices after coming across a serious security vulnerability.
If exploited the bug could enable an attacker to run arbitrary JavaScript, and lead to a handful of issues, including data theft, phishing attacks and a denial of service.
The vulnerability, which researchers with the Israeli security firms BugSec and Cynet have nicknamed SNAP, stems from an issue that exists in a default app installed on each LG device.
The app, Smart Notice, pulls notifications from the device, but fails to validate user submitted data, meaning that when it pulls notifications and contacts, it feeds them directly to the app without thoroughly vetting them.
After they identified it, researchers with Cynet,Liran Segal and Scachar Korot, collaborated with BugSec’s CTO Idan Cohen, Head of Offensive Security Stas Volfus and Application Security Team Leader Israel Gurt to explore the vulnerability further.
The group found that if an attacker embedded malicious script in a contact, it would still be activated by the app. That’s because Smart Notice uses WebView, a system component powered by Chrome that allows Android apps to display web content. The functionality also makes it so a “programmer could extend the functionality of the “JavaScript” to run server side code,” according to a breakdown of the vulnerability, published Thursday by Cynet.
“Using the vulnerability, an attacker can easily open the user device to data theft attack, extracting private information saved on the SD Card including WhatsApp data and private images,” the researchers wrote.
Harvesting data from the device’s SD Card, opening the phone’s browser to a remote site, tricking them into installing a third-party application, and forcing the device into an infinite loop are all “easy-to-do” with the vulnerability, they said.
The researchers notified LG of the vulnerability and the South Korean conglomerate pushed out a patch, but seeing as the phone was only released in 2014, insist millions of phones could still be vulnerable.
“LG reacted immediately, which we appreciate,” Cohen said, “This is a major potential security breach into the personal data of millions of LG users worldwide.”