Check Point Software Technologies this weekend disclosed two vulnerabilities specifically endemic to LG mobile devices, both of which if exploited could allow a hacker to remotely attack a device. LG has already issued fixes for both issues.
The first vulnerability resides in a privileged LG service called LGATCMDService which is not protected by any bind permission. Consequently, any app can communicate with this service, including malicious ones crafted by bad actors, with the intention of remotely attacking a device.
According to a Check Point blog post, the second flaw was a SQL injection vulnerability found in LG’s implementation of the WAP (Wireless Application Protocol) Push protocol. This particular issue “allows a remote attacker to delete or modify SMS messages received on a device. This approach could be used as part of a phishing scheme to steal a user’s credentials or to install a malicious app.”