The vulnerability, dubbed ‘SNAP’ by researchers from security firms BugSec Group and Cynet, was found in LG Smart Notice, an app that is preinstalled on all LG G3 handsets and is responsible for displaying suggestions, related notifications and reminders, much like Google Now. The researchers uncovered that, under certain circumstances the app would fail to validate user data and would thus allow attackers to potentially forge notifications, allowing the injection and execution of unauthenticated code to manipulate and steal sensitive information even from a mounted SD card.
Using the vulnerability, an attacker can easily open the user device to data theft attack, extracting private information saved on the SD Card including WhatsApp data and private images; put the user in danger of phishing attack by misleading the end-user; and enable the installation of a malicious program on the device.
LG was quickly informed and subsequently released a bug-fixing patch for all LG G3 smartphones. Affected handsets should see an update notification pop-up in the next couple of days.