LG mitigated two vulnerabilities that can elevate privileges on their mobile devices, which could allow for a remote attack, researchers said.
The holes in the devices are just on LG products, said researchers at Check Point. The devices account for more than 20 percent of the Android OEM market in the United States.
The first vulnerability allows a malicious app installed on an LG device to take advantage of the lack of bind permissions in an LG service and to elevate its privileges, allowing additional control of the device, the researchers said.
The second vulnerability allows a remote attacker to delete or modify SMS messages received on a device, researchers said. This approach could end up as a part of a phishing scheme to steal a user’s credentials or to install a malicious app.
The first vulnerability is in a privileged LG service called ‘LGATCMDService.’
This service did not end up protected by any bind permission, meaning any app could communicate with it, regardless of its origin or permissions. By connecting to this service, an attacker could address ‘atd’, a high-privileged user mode daemon and a gateway for communications with the firmware. In addition, atd can:
• Read and overwrite private identifiers like the IMEI and MAC address
• Reboot a device
• Disable a device’s USB connection
• Wipe a device
• Brick a device completely
Ransomware would find these features very useful by locking a user out of a device and then disabling the ability to retrieve files by connecting the device to a PC via USB.
The second vulnerability exploits LG’s unique implementation of the WAP Push protocol.
WAP Push is the SMS protocol (PDU) used to send URLs to mobile devices. The goal of this protocol was for mobile carriers to use rather than users and includes “update” and “delete” features. LG’s implementation contained an SQL injection vulnerability that allowed attackers to send messages to devices with the ability to delete or modify all text messages stored on the device.
An attacker could parlay this vulnerability to conduct credential theft or to trick a user into installing a malicious app. The attacker could modify a user’s unread SMS messages and add a malicious URL to redirect the user to download a malicious app or to a fake overlay to steal credentials.
LG issued fixes for the vulnerabilities, and Check Point recommends to:
• Examine carefully any app installation request before accepting it to make sure it is legitimate
• Contact your mobility, IT, or security team for more information about how it secures managed devices
• Use a personal mobile security solution that monitors your device for any malicious behavior
• Ask your enterprise to deploy a mobile security solution that detects and stops advanced mobile threats