Researchers at BugSec and Cynet discovered a recently patched vulnerability in the LG G3 Android smartphone that could allow an attacker to run arbitrary JavaScript code.
Named the SNAP vulnerability, the bug could affect as many as 10 million devices worldwide and could enable an attacker to steal data and perform phishing, denial of service (DOS), and drive-by attacks, according to a release.
The vulnerability exists in the pre-installed LG application "Smart Notice" which is used to display various pop-up notifications on the device, according to Jan. 28 blog post.
There are several possible vectors a threat actor can use to carry out the attack including, exploiting the birthday notification and the callback reminder, researchers said in the post.
Researchers were also able to exploit the vulnerability through the QR and WhatsApp/MMS vectors to socially engineer ads and notifications designed to trick users into divulging information.
The root cause of the vulnerability is the fact that Smart Notice doesn't validate the data presented to users, researchers said in the post.
Cynet's CEO and founder Eyal Gruner told SCMagazine.com that vendors can prevent vulnerabilities like this by using input validation, which creates an outer defensive perimeter for the web application.
In a proof of concept video describing an attack, researchers sent a contact containing malicious code in the name field to the device and saved it.
Once infected, researchers were able to extract data from the phone's SD card, open browser applications to access remote sites and more.
LG reacted immediately once they were notified of the bug, and patched the vulnerability, researchers said in the post.
Researchers recommended that anyone infected by the bug download the patch immediately.
[hm-iframe width="416" height="296" frameborder="0" src="https://outsidelens.scmagazine.com/video/Snap-Vulnerability/player?layout=&read_more=1" scrolling="no"]
