A new vulnerability exploiting LG Android devices was published just yesterday at the XDA conference in Florida, Miami. The vulnerability exists on various LG devices, including the flagship LG Optimus G, on a number of Android versions, 4.0 and 4.1. The flaw is a Privilege Escalation vulnerability that exists in an LG specific service added to the Android OS used to install/uninstall applications on the device.
Proof of concept exploit that utilizes the vulnerability was released in the wild and can be found here
What are the attack methods?
- Convincing the user to install a malicious android application, either from the official Google Play app store or from a third party (unofficial app store, email, etc…)
- Web attack leveraging a public vulnerability in an existing application, such as in the browser (CVE-2012-5139)
- Physically connecting the device to an attacker’s computer
What are the consequences of such an attack?
An attacker exploiting the vulnerability is capable of:
- Getting full control of the smartphone/tablet and bypassing the Android permission model
- Running code under system privileges
- Accessing various files and sensitive information on the device
- Accessing various enterprise data securing application, such as: Good for Enterprise, Checkpoint Mobile Access Software Blade, Divide, and various banking and financial applications. An attacker will be able to gain access to encrypted and sensitive information such as confidential documents and emails.
- Injecting a persistent backdoor on the device.
Unfortunately, no patch was released yet by the vendors so these affected devices are still vulnerable. Further, no AntiVirus or MDM solutions for Android can detect the use of this vulnerability from a malicious application or other means.
What are the affected devices?
- LG Optimus G
- Additional LG devices are under investigation
Technical Overview
The LG Install Services service available on a number of LG devices can be exploited to install and uninstall applications without user consent. Additionally, applications can be “promoted” as system applications giving them the ability to request special system privileges. By patching the dalvik cache, code can be run as the system user allowing access to any android application user data and gain almost complete control on the device.
Suggestions for minimizing the threat exposure
- Users should be instructed to only install applications from reputable sources (well known developers and only from the official Google Play app store)
- Users should be instructed not to open suspicious/unknown links sent to the device
Additional Information
XDA Forum
Lacoon Customer Advisory – Security flaw in LG Devices