LG patches data theft bug affecting millions of Android phones

Malicious JavaScript could be entered into a contact form

LG has patched a security flaw in an application preinstalled on millions of its Android G3 smartphones that researchers found could be used to steal a variety of data.

The application, called Smart Notice, is a kind of multifunctional widget, managing contacts, notifications, and weather and traffic alerts.

Researchers from BugSec and Cynet, two computer security companies, found that they could attack a person's phone by sending them a contact with malicious JavaScript contained in the name field, according to a video.

Once the code was on the phone, any information stored on its SD card, such as private images and chat logs, could be stolen.

"The root cause for the security problem is the fact that Smart Notice does not validate the data presented to the users," BugSec and Cynet wrote in a blog post on Thursday.

The researchers found a variety of ways to trigger their malicious code and carry out actions, such as opening a phishing site that tries to steal a person's Gmail credentials or prompt a person to download a remote access trojan.

"With a little tweak, we were able to load external scripts from a remote host and 'refresh' our code every few seconds, giving us the ability to have active command and control over the LG phone and send new payloads," the companies wrote.

It was also possible to conduct a denial-of-service attack that could only be stopped by doing a hard reset of the phone, they wrote.

Join the Computerworld New Zealand newsletter!

Error: Please check your email address.

More about LGSmart

Show Comments
[]