Press Releases

BugSec, Cynet Uncover SNAP, a Major Vulnerability on LG G3 Devices

Millions of LG Smartphones Could Be Hijacked, Personal Data Breached.


TEL AVIV, ISRAEL — Thursday, January 28, 2015

BugSec Group Ltd., a leading provider of cyber security services (www.bugsec.com), and Cynet,
pioneers of the all-in-one agentless solution for detection and remediation of advanced and
unknown threats, announced today that a joint team of researchers has
discovered a severe security vulnerability in LG G3 Android devices, enabling the potential
hijack of an estimated 10 million smartphones worldwide.

‘SNAP’ is a smartphone vulnerability that allows an attacker to run arbitrary JavaScript code on
the devices, which can easily lead to private data leakage, phishing attacks and to denial of
service (DOS) on the device.

The SNAP vulnerability, first discovered by team security researchers Liran Segal and Shachar
Korot, is a flaw in one of the pre-installed LG applications, Smart Notice, which exists on every
new LG G3 device. Smart Notice displays recent notifications to users that can be forged to inject
unauthenticated malicious code. The application is on default work state.

Smart Notice LG G3 Screen Example

Using the vulnerability, an attacker can easily steal sensitive data from the device SD card,
including WhatsApp data and images, and can also mislead the end-user into phishing scams and
drive-by attacks.

We commend LG, which responded quickly to our discovery of the vulnerability and we
encourage users to upgrade their application to the new Smart Notice release, which contains a
patch.

To see full details of the vulnerability, read the blogpost at https://bugsec.com/snap-millions-of-lg-smartphone-devices-are-vulnerable-to-phone-hijack or at our ‘Snap’ Volnerability Blo Post

“LG reacted immediately, which we appreciate,” said Idan Cohen, BugSec’s Chief Technology Officer. “This is a major potential security breach into the personal data of millions of LG users worldwide.” The root cause behind the issue, Cohen said, is the fact that the Smart Notice application does not validate the data it presents to users. “This means that the data can be taken from device phone contacts and manipulated. We highly recommend G3 users install the patch without delay,” Cohen said.

The BugSec-Cynet security research team found that hijacking of the LG devices could essentially take place in several ways, based on the functionality issues of the Smart Notice application. The following scenarios, in which the application pops notifications (named ‘cards’) are all potential breaches:

  • Favorite contact notifications – Recommend user keeps in touch with favorite contacts.
  • New contact suggestions – Suggest saving a caller number.
  • Callback reminders – Reminder to callback a contact after declining the call.
  • Birthday notifications – Reminder about contact birthday.
  • Memo reminders – Provide notifications about user memos.
Recent Posts