LG has patched two severe vulnerabilities that reside in the default keyboard on all mainstream LG smartphones, including its flagship handsets; the flaws could be used to remotely execute code with elevated privileges.
LG’s update also includes a fix for a critical Android issue, from Google.
The first issue has to do with the fact that LG’s keyboard supports handwriting modes in various languages. When a new language or an update for an existing one is installed, the device reaches out to a hardcoded server, from which it retrieves the requested language file or library. According to Check Point, which reported the flaws, the problem is that this download is done over an insecure HTTP connection, exposing it to man-in-the-middle attacks. A remote attacker could simply download a malicious file instead of the intended language file.
The second problem is a validation flaw in LG’s file system. The resource files within the LG keyboard package sandbox can be modified; and, LG’s keyboard application grants executable permissions for any downloaded library file with the .so extension. Thus, an attacker that has gained MITM access via the first flaw can now inject a rogue executable file by simply appending the .so extension to a library download.
Mauritian Computer Emergency Response Team (CERT-MU),
National Computer Board,
7th Floor, Stratton Court,
La Poudriere Street, Port Louis