Check Point disclosed today two vulnerabilities (CVE-2016-3117, CVE-2016-2035) which can be used to elevate privileges on LG mobile devices to attack them remotely at the LayerOne 2016 conference in Los Angeles.
LG issued fixes for both vulnerabilities which Check Point made LG aware of before disclosing them publicly. These vulnerabilities are unique to LG devices which account for over 20% of the Android OEM market in the US, according to a 2016 survey.
The first vulnerability allows a malicious app installed on an LG device to abuse the lack of bind permissions in an LG service and to elevate its privileges, allowing additional control of the device.
The second vulnerability allows a remote attacker to delete or modify SMS messages received on a device. This approach could be used as part of a phishing scheme to steal a user’s credentials or to install a malicious app.
Webinar: How to Keep Mobile Threats at Bay
Enabling and Securing iOS and Android in the Enterprise
Securing today’s powerful mobile devices and the data on them is critical for the enterprise, but more than half of decision makers in a recent IDC survey had security and compliance issues during mobility rollouts. Join guest presenter Rob Westervelt, research manager for security products at IDC and Michael Shaulov, head of mobility at Check Point to learn why it’s more important than ever to have security for iOS and Android that provides continuous mobile protection for apps, networks, and operating systems.
Local vulnerability: CVE-2016-3117
The first vulnerability is in a privileged LG service called LGATCMDService. This service was not protected by any bind permission, meaning any app could communicate with it regardless of its origin or permissions. By connecting to this service, an attacker could address atd, a high-privileged user mode daemon and a gateway for communications with the firmware. In addition, atd can be used to
- read and overwrite private identifiers like the IMEI and MAC address
- reboot a device
- disable a device’s USB connection
- wipe a device
- brick a device completely
Ransomware would find these features very useful by locking a user out of a device and then disabling the ability to retrieve files by connecting the device with a computer via USB.
Remote vulnerability: CVE-2016-2035
This vulnerability exploits LG’s unique implementation of the WAP Push protocol. WAP Push is the SMS protocol (PDU) used to send URLs to mobile devices. This protocol was intended for the use by mobile carriers rather than users and includes “update” and “delete” features. LG’s implementation contained an SQL injection vulnerability that allowed attackers to send messages to devices with the ability to delete or modify all text messages stored on the device.
A potential attacker could use this vulnerability to conduct credential theft or to fool a user into installing a malicious app. The attacker could modify a user’s unread SMS messages and add a malicious URL to redirect the user to download a malicious app or to a fake overlay to steal credentials.
How can I protect myself from this vulnerability?
Check Point recommends taking several steps to mitigate the risk:
- Examine carefully any app installation request before accepting it to make sure it is legitimate.
- Contact your mobility, IT, or security team for more information about how it secures managed devices.
- Use a personal mobile security solution that monitors your device for any malicious behavior.
- Ask your enterprise to deploy a mobile security solution that detects and stops advanced mobile threats.
Where can I learn more about Check Point mobile security solutions?
Visit checkpoint.com/mobilesecurity for more information.
Adam Donenfeld is a lead researcher on the Check Point mobile security team. Prior to Check Point he served as a security researcher with an elite Israeli intelligence unit. In addition to studying German, Adam enjoys spending his free time hacking and reverse engineering