Two BugSec researchers have discovered a serious vulnerability in LG’s G3 Android devices, which can be exploited to steal user data, mount phishing attacks, install malicious apps, and more.
Dubbed “Snap”, the vulnerability is located in the Smart Notice app that comes pre-installed on every new LG device, and is activated by default.
“Smart Notice displays to users the recent notifications that can be forged to inject unauthenticated malicious code. The root cause for the security problem is the fact that Smart Notice does not validate the data presented to the users,” the researchers explained.
More details about the various ways this flaw can be exploited can be found in this whitepaper (registration required). A demo of the attack has also been provided:
LG has been informed about the existence of the flaw, and has already patched it in the latest release of the Smart Notice app, which users are urged to install it as soon as possible.
There is currently no indication that the bug is being exploited in the wild.