Overview
BugSec and Cynet researchers discovered a severe security vulnerability in LG G3 smartphones which allows an attacker to run arbitrary JavaScript code on the devices. The vulnerability can easily lead to sensitive data theft, phishing attacks and to a denial of service (DOS) on the device.

The ‘SNAP’ vulnerability, first discovered by BugSec security researchers Liran Segal and Shachar Korot, is a flaw in one of the LG applications, Smart Notice, which is pre-installed automatically on every new LG device. Smart Notice displays to users the recent notifications that can be forged to inject unauthenticated malicious code. Note that the application is on default work state.

LG1

Using the vulnerability, an attacker can easily open the user device to data theft attack, extracting private information saved on the SD Card including WhatsApp data and private images; put the user in danger of phishing attack by misleading the end-user; and enable the installation of a malicious program on the device. We informed LG, which responded quickly to notice of the vulnerability and we encourage users to immediately upgrade their application to new Smart Notice release, which contains a patch.

The root cause for the security problem is the fact that Smart Notice does not validate the data presented to the users. Data can be taken from the phone contacts and manipulated. The attack can take place in several ways due to functionality issues of the Smart Notice application. The application pops notifications (named ‘cards’) in each of these scenarios:
• Favorite contact notification – Recommends you keep in touch with favorite contacts.
• New contact suggestion – Suggests saving a caller number.
• Callback reminder – Reminder to callback a contact after declining the call.
• Birthday notification – Reminder about contact birthday.
• Memo reminder – Provides notifications about user memos.

lg2

In order to explore the full possibilities of the vulnerability, BugSec and Cynet assembled a security team with Idan Cohen (BugSec CTO), Stas Volfus (Head of Offensive Security) and Israel Gurt (Application Security Team Leader).

Exploitation:
During our testing, we were able to insert a new “malicious” contact to our contact list (with a script embedded) that was triggered by the “Callback Reminder” and by the “Birthday notification.” As evident in the example below, we were able to run our own code from the “WebView” context to the phone.

lg3

With a little tweak, we were able to load external scripts from a remote host and “refresh” our code every few seconds, giving us the ability to have active command and control over the LG phone and send new payloads.

lgg3

 

Since Smart Notice uses a “WebView”-based application, a programmer could extend the functionality of the “JavaScript” to run server side code, allowing the attacker a bigger set of options. For this, we examined the client side application code, located in the following path:
root/system/etc/mrg_default_forms/ConciergeBoard/.

We found two possible scenarios:
The first scenario is to use the Callback function (ConciergeBoard\card_forms\reconnect_noti):

lg5

The second scenario is to use the Birthday function (ConciergeBoard\card_forms\birthday_noti_contact):

lg6

When a callback notification is set, the “@string” parameter displays the contact name without any validation.
Further investigation revealed to us where the update process is found: (ConciergeBoard\default_view\container)

lg7

The update uses an internal function ‘doAction’ that is in fact a JavaScript interface ability published to the WebView. We assume there are many more functions that we could use to extend our attack. We extracted the LGConciergeBoard Apk (Android Package Kit) in order to detect any other interfaces to use, and to learn how to access them.
We found out that the “doAction” function is used as a JavaScript Interface which can communicate with “IurlActionHandler,” “setDbActionHandler,” “cardActionHandler” etc., obviously providing many sets of payload vectors to attackers.

During our exploitation, we created several easy-to-do payloads. Examples:

Data Harvesting – The application has ‘READ_EXTERNAL_STORAGE’ permission by default with allow us access to the phone external SD Card holding sensitive data of the device owner.

Phishing / Drive-By Attack – using ‘open_url’ function, we can auto open the phone browser to any remote site. This dangerous ability can make the user indirectly install a third-party application or access a phishing site. The payload we used: “Concierge.doAction(‘concierge://open_url?url=https://www.AttackerPhishingSite.com’)”

Denial of Service Attack – this was a more easily used payload which could make the user phone go crazy. While there are many possibilities for this attack, we used the basic one for the POC:
“while(true){Concierge.doAction(‘concierge://open_url?url=https://www.bugsec.com’)}”
This causes an infinite loop that would soon consume all the phone resources and would essentially put the phone out-of-order until a hard reset.

Attack Vectors
Our team also created some easy attack vectors, in order to inject the malicious contact unnoticed to the phone user. The basic vector is created using a long contact name which is not seen by the user, but will still be activated by the application. Afterwards, a delivery method is needed for which we created two:

The QR Vector – by using social engineering, we can publish an ad asking the victim to scan the following QR code that will open a “save the contact” window, which requires only an approval click by the user.

The WhatsApp\MMS Vector – also by using social engineering, we can send a contact (with a forged source) that will be saved by the users.

We acknowledge that there are many other possible vectors that a remote attack can use to invoke the ‘SNAP.’