Check Point disclosed today two vulnerabilities (CVE-2016-3117, CVE-2016-2035) which can be used to elevate privileges on LG mobile devices to attack them remotely at the LayerOne 2016 conference in Los Angeles.
The first vulnerability allows a malicious app installed on an LG device to abuse the lack of bind permissions in an LG service and to elevate its privileges, allowing additional control of the device.
The second vulnerability allows a remote attacker to delete or modify SMS messages received on a device. Attacker could use it to conduct credential theft or to fool a user into installing a malicious app. The attacker could modify a user’s unread SMS messages and add a malicious URL to redirect the user to download a malicious app or to a fake overlay to steal credentials.
Steps to mitigate the risk of this attack:
- Verify any app installation request before accepting it to make sure it is legitimate.
- Use a personal mobile security solution that monitors your device for any malicious behavior.
The first vulnerability allows a malicious app installed on an LG device to abuse the lack of bind permissions in an LG service and to elevate its privileges, allowing additional control of the device.
The second vulnerability allows a remote attacker to delete or modify SMS messages received on a device. Attacker could use it to conduct credential theft or to fool a user into installing a malicious app. The attacker could modify a user’s unread SMS messages and add a malicious URL to redirect the user to download a malicious app or to a fake overlay to steal credentials.
Steps to mitigate the risk of this attack:
- Verify any app installation request before accepting it to make sure it is legitimate.
- Use a personal mobile security solution that monitors your device for any malicious behavior.
- Lookout for LG latest update on these vulnerabilities and patch it immediately
Below is the video demo of the remote attack.
For more details of these vulnerabilities, visit "OEMs Have Flaws Too: Exposing Two New LG Vulnerabilities"
http://blog.checkpoint.com/2016/05/29/oems-have-flaws-too-exposing-two-new-lg-vulnerabilities/
No comments:
Post a Comment