Outdated LG Android software revealed to have security flaws
Cyber security is a never-ending search for vulnerabilities with major hacks of established entities nearly always making headlines. Last year's "Stagefright" issue on Android devices, for example, was highly publicized.
This time, two new security flaws have been discovered by the team over at Check Point Software that are exclusive to LG devices. Thankfully, LG had been contacted ahead of time before the vulnerability was made public in order for the manufacturer to provide a timely patch.
The first flaw allowed malicious apps to gain rights outside of its defined space to take over the phone while the second flaw would have made it possible for external attackers to delete or manipulate messages and obtain personal information from the owner. In particular, the first flaw exposed the vulnerabilities of the running service 'LGATCMDService' responsible for app communications without first requiring a user confirmation. A takeover could result in the following worst case scenarios:
- Read and overwrite private identification details including IMEI or MAC addresses
- Constant rebooting of device
- Deletion of data
- "Bricking" of the device
Meanwhile, the second flaw made use of the "WAP Push protocol" service responsible for allowing URLs to be sent via SMS. An attack on this specific vulnerability would have allowed outsiders to send false URLs masquerading as official LG updates to trick the owner into sending out personal information and receiving "official" updates.
Check Point Software has uploaded a demo of the vulnerabilities below.