LG has patched two severe vulnerabilities that reside in the default keyboard on all mainstream LG smartphones, including its flagship handsets; the flaws could be used to remotely execute code with elevated privileges.
LG’s update also includes a fix for a critical Android issue, from Google.
The first issue has to do with the fact that LG’s keyboard supports handwriting modes in various languages. When a new language or an update for an existing one is installed, the device reaches out to a hardcoded server, from which it retrieves the requested language file or library. According to Check Point, which reported the flaws, the problem is that this download is done over an insecure HTTP connection, exposing it to man-in-the-middle attacks. A remote attacker could simply download a malicious file instead of the intended language file.
The second problem is a validation flaw in LG’s file system. The resource files within the LG keyboard package sandbox can be modified; and, LG’s keyboard application grants executable permissions for any downloaded library file with the .so extension. Thus, an attacker that has gained MITM access via the first flaw can now inject a rogue executable file by simply appending the .so extension to a library download.
Also, by altering the files.txt metadata file, the Engine.properties file can also be overwritten by a fake one.
“LG’s keyboard loads the [library] indicated in Engine.properties configuration file on the application’s startup, and the rogue lib we’ve injected inside the aforementioned file would be loaded as soon as the keyboard process restarts,” explained Check Point researcher Slava Makkaveev, in an analysis. “Once we manage to inject the rouge lib inside Engine.properties, all we need to do is wait for the application to restart and load the library.”
The vulnerabilities, which LG treats as one flaw, are unique to LG devices. The threat surface is notable: The Korean giant’s phones hold about a 16 percentĀ market share in the U.S., according to Strategy Analytics.
The general Android flaw meanwhile, which affects not only LG but other Android phones, is a critical vulnerability in Media framework that could enable a remote attacker to execute arbitrary code within the context of a privileged process, using a specially crafted file.
LG released a patch for all of these in its May security update.