Check Point disclosed today two vulnerabilities (CVE-2016-3117, CVE-2016-2035) which can be used to elevate privileges on LG mobile devices to attack them remotely at the LayerOne 2016 conference in Los Angeles.

LG issued fixes for both vulnerabilities which Check Point made LG aware of before disclosing them publicly. These vulnerabilities are unique to LG devices which account for over 20% of the Android OEM market in the US, according to a 2016 survey.

The first vulnerability allows a malicious app installed on an LG device to abuse the lack of bind permissions in an LG service and to elevate its privileges, allowing additional control of the device.

The second vulnerability allows a remote attacker to delete or modify SMS messages received on a device. This approach could be used as part of a phishing scheme to steal a user’s credentials or to install a malicious app.

Webinar: How to Keep Mobile Threats at Bay

Enabling and Securing iOS and Android in the Enterprise

Securing today’s powerful mobile devices and the data on them is critical for the enterprise, but more than half of decision makers in a recent IDC survey had security and compliance issues during mobility rollouts. Join guest presenter Rob Westervelt, research manager for security products at IDC and Michael Shaulov, head of mobility at Check Point to learn why it’s more important than ever to have security for iOS and Android that provides continuous mobile protection for apps, networks, and operating systems.

>Register for Americas Session

>Register for Europe Session

Local vulnerability: CVE-2016-3117

The first vulnerability is in a privileged LG service called LGATCMDService. This service was not protected by any bind permission, meaning any app could communicate with it regardless of its origin or permissions. By connecting to this service, an attacker could address atd, a high-privileged user mode daemon and a gateway for communications with the firmware. In addition, atd can be used to

  • read and overwrite private identifiers like the IMEI and MAC address
  • reboot a device
  • disable a device’s USB connection
  • wipe a device
  • brick a device completely

Ransomware would find these features very useful by locking a user out of a device and then disabling the ability to retrieve files by connecting the device with a computer via USB.

Remote vulnerability: CVE-2016-2035

This vulnerability exploits LG’s unique implementation of the WAP Push protocol. WAP Push is the SMS protocol (PDU) used to send URLs to mobile devices. This protocol was intended for the use by mobile carriers rather than users and includes “update” and “delete” features. LG’s implementation contained an SQL injection vulnerability that allowed attackers to send messages to devices with the ability to delete or modify all text messages stored on the device.

A potential attacker could use this vulnerability to conduct credential theft or to fool a user into installing a malicious app. The attacker could modify a user’s unread SMS messages and add a malicious URL to redirect the user to download a malicious app or to a fake overlay to steal credentials.

How can I protect myself from this vulnerability?

Check Point recommends taking several steps to mitigate the risk:

  • Examine carefully any app installation request before accepting it to make sure it is legitimate.
  • Contact your mobility, IT, or security team for more information about how it secures managed devices.
  • Use a personal mobile security solution that monitors your device for any malicious behavior.
  • Ask your enterprise to deploy a mobile security solution that detects and stops advanced mobile threats.

Where can I learn more about Check Point mobile security solutions?

Visit checkpoint.com/mobilesecurity for more information.

Adam Donenfeld is a lead researcher on the Check Point mobile security team. Prior to Check Point he served as a security researcher with an elite Israeli intelligence unit. In addition to studying German, Adam enjoys spending his free time hacking and reverse engineering

 

 

 


  1. Are Nexus devices like the LG manufactured Nexus 5 also affected? And if they are, will they receive the patches, too?

  2. You really make it appear really easy along with
    your presentation but I find this topic to be actually something which I feel I would by no means understand.
    It sort of feels too complex and extremely broad for me.
    I am having a look ahead to your subsequent post, I’ll try
    to get the dangle of it!

  3. I was recommended this web site by means of my cousin. I’m no longer positive whether this put up
    is written by him as nobody else recognise such specified approximately my trouble.
    You’re amazing! Thanks!

  4. Hello! Someone in my Myspace group shared this
    website with us so I came to take a look. I’m definitely loving the information. I’m
    bookmarking and will be tweeting this to my followers!

    Outstanding blog and terrific design and style.

  5. Excellent post. Keep posting such kind of information on your site.
    Im really impressed by it.[X-N-E-W-L-I-N-S-P-I-N-X]Hey
    there, You’ve performed an incredible job. I’ll certainly digg it and personally suggest to my friends.
    I am sure they’ll be benefited from this site.

  6. Greetings! I’ve been following your web site for a while now and
    finally got the courage to go ahead and give you a shout out from Porter Tx!
    Just wanted to tell you keep up the fantastic work!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Please complete the equation to verify your submission. * Time limit is exhausted. Please reload the CAPTCHA.