‘SNAP’ – Millions of LG Smartphone Devices are Vulnerable to Phone Hijack
The ‘SNAP’ vulnerability, first discovered by BugSec security researchers Liran Segal and Shachar Korot, is a flaw in one of the LG applications, Smart Notice, which is pre-installed automatically on every new LG device. Smart Notice displays to users the recent notifications that can be forged to inject unauthenticated malicious code. Note that the application is on default work state.
Using the vulnerability, an attacker can easily open the user device to data theft attack, extracting private information saved on the SD Card including WhatsApp data and private images; put the user in danger of phishing attack by misleading the end-user; and enable the installation of a malicious program on the device. We informed LG, which responded quickly to notice of the vulnerability and we encourage users to immediately upgrade their application to new Smart Notice release, which contains a patch.
The root cause for the security problem is the fact that Smart Notice does not validate the data presented to the users. Data can be taken from the phone contacts and manipulated. The attack can take place in several ways due to functionality issues of the Smart Notice application. The application pops notifications (named ‘cards’) in each of these scenarios:
• Favorite contact notification – Recommends you keep in touch with favorite contacts.
• New contact suggestion – Suggests saving a caller number.
• Callback reminder – Reminder to callback a contact after declining the call.
• Birthday notification – Reminder about contact birthday.
• Memo reminder – Provides notifications about user memos.
In order to explore the full possibilities of the vulnerability, BugSec and Cynet assembled a security team with Idan Cohen (BugSec CTO), Stas Volfus (Head of Offensive Security) and Israel Gurt (Application Security Team Leader).
During our testing, we were able to insert a new “malicious” contact to our contact list (with a script embedded) that was triggered by the “Callback Reminder” and by the “Birthday notification.” As evident in the example below, we were able to run our own code from the “WebView” context to the phone.
With a little tweak, we were able to load external scripts from a remote host and “refresh” our code every few seconds, giving us the ability to have active command and control over the LG phone and send new payloads.
We found two possible scenarios:
The first scenario is to use the Callback function (ConciergeBoard\card_forms\reconnect_noti):
The second scenario is to use the Birthday function (ConciergeBoard\card_forms\birthday_noti_contact):
When a callback notification is set, the “@string” parameter displays the contact name without any validation.
Further investigation revealed to us where the update process is found: (ConciergeBoard\default_view\container)
During our exploitation, we created several easy-to-do payloads. Examples:
Data Harvesting – The application has ‘READ_EXTERNAL_STORAGE’ permission by default with allow us access to the phone external SD Card holding sensitive data of the device owner.
Phishing / Drive-By Attack – using ‘open_url’ function, we can auto open the phone browser to any remote site. This dangerous ability can make the user indirectly install a third-party application or access a phishing site. The payload we used: “Concierge.doAction(‘concierge://open_url?url=https://www.AttackerPhishingSite.com’)”
Denial of Service Attack – this was a more easily used payload which could make the user phone go crazy. While there are many possibilities for this attack, we used the basic one for the POC:
This causes an infinite loop that would soon consume all the phone resources and would essentially put the phone out-of-order until a hard reset.
Our team also created some easy attack vectors, in order to inject the malicious contact unnoticed to the phone user. The basic vector is created using a long contact name which is not seen by the user, but will still be activated by the application. Afterwards, a delivery method is needed for which we created two:
The QR Vector – by using social engineering, we can publish an ad asking the victim to scan the following QR code that will open a “save the contact” window, which requires only an approval click by the user.
The WhatsApp\MMS Vector – also by using social engineering, we can send a contact (with a forged source) that will be saved by the users.
We acknowledge that there are many other possible vectors that a remote attack can use to invoke the ‘SNAP.’