LG G3 owners vulnerable to a big security bug, fix available

By JC Torres/Jan. 29, 2016 4:00 am EST

The LG G3 was the Korean manufacturer's 2014 hero smartphone and came with a new feature called Smart Notice, LG's sort of answer to Google Now, Siri, and rival Samsung's S Voice. As convenient as that feature may be, its convenience apparently came with a price too high to pay. Researchers BugSec Group and Cynet have come across a gaping hole in the software that exposed each and every LG G3 owner to potential data theft and hijacking of their smartphone. Fortunately, LG now has a patch ready.

Like Google Now, Smart Notice tries to present G3 users with relevant and timely information, like outfit suggestions based on the weather, upcoming appointments and birthdays, and missed calls you need to return. The feature is, indeed, helpful but the problem is that LG could have probably used better security checks in implementing it.

According to the security researchers who discovered the vulnerability, Smart Notice made use of a WebView, an Android component used to process and display Web pages and Web apps. The researchers were able to easily manipulate Javascript code in order to do a frightening number of things, when, for example, a birthday notification is triggered or a call back reminder is displayed.

For example, it allowed them to take information from the SD card like photos and WhatsApp chat logs, the latter notorious for not encrypting or protecting its information. They could also automatically open the phone's browser to a specific website, which already opens the door to other security exploits. They could also start denial of service (DoS) attacks that could lock down the smartphone.

The good news is that LG has been notified of the problem and actually has a patch rolling out. The bad news is that, depending on your carrier or market, it could take some time before it reaches you. No known attacks using this vulnerability have been reported so far, but just to be safe, perhaps it might be best to disable Smart Notice in the mean time. The LG G4, which also has Smart Notice, doesn't seem to be affected.

VIA: Ars Technica