Check Point found two vulnerabilities which can be used to elevate privileges on LG mobile devices to attack them remotely. These vulnerabilities are unique to LG devices, which account for over 20% of the Android OEM market in the US.
The first vulnerability allows a malicious app installed on an LG device to abuse the lack of bind permissions in an LG service and to elevate its privileges, allowing additional control of the device. The second vulnerability allows a remote attacker to delete or modify SMS messages received on a device. This could be used as part of a phishing scheme to steal a user’s credentials or to install a malicious app.
Local vulnerability: CVE-2016-3117
The first vulnerability is in a privileged LG service called ‘LGATCMDService’. This service was not protected by any bind permission, meaning any app could communicate with it, regardless of its origin or permissions. By connecting to this service, an attacker could address ‘atd’, a high-privileged user mode daemon and a gateway for communications with the firmware. In addition, atd can be used to:
- Read and overwrite private identifiers like the IMEI and MAC address
- Reboot a device
- Disable a device’s USB connection
- Wipe a device
- Brick a device completely.
Ransomware would find these features very useful by locking a user out of a device and then disabling the ability to retrieve files by connecting the device to a PC via USB.
Remote vulnerability: CVE-2016-2035
This vulnerability exploits LG’s unique implementation of the WAP Push protocol. WAP Push is the SMS protocol (PDU) used to send URLs to mobile devices. This protocol was intended for the use by mobile carriers rather than users and includes “update” and “delete” features. LG’s implementation contained an SQL injection vulnerability that allowed attackers to send messages to devices with the ability to delete or modify all text messages stored on the device.
A potential attacker could use this vulnerability to conduct credential theft or to fool a user into installing a malicious app. The attacker could modify a user’s unread SMS messages and add a malicious URL to redirect the user to download a malicious app or to a fake overlay to steal credentials.
LG has issued fixes for both vulnerabilities, and Check Point recommends taking additional steps to mitigate risks:
- Examine carefully any app installation request before accepting it to make sure it is legitimate
- Contact your mobility, IT, or security team for more information about how it secures managed devices
- Use a personal mobile security solution that monitors your device for any malicious behavior
- Ask your enterprise to deploy a mobile security solution that detects and stops advanced mobile threats.
LG has issued fixes for both vulnerabilities which Check Point made LG aware of, before disclosing them publicly.