Lg Harmony Smartphone – An attacker can get man-in-the-middle access to inject executable files into a cellphone. LG has patched two severe vulnerabilities that are on the default keyboard on all mainstream LG smartphones, including its flagship handset; defects can be used to execute code remotely with high privileges. LG’s update also includes improvements to important Android problems, from Google.
The first problem relates to the fact that the LG keyboard supports handwriting modes in various languages. When new languages or updates for existing ones are installed, the device reaches the hardcoded server, from which it retrieves the requested language library or file. According to Check Point, who reported its shortcomings, the problem was that this download was done through an unsecured HTTP connection, exposing it to a man-in-the-middle attack. A remote attacker can only download malicious files rather than the intended language file.
Lg Harmony Smartphone
The second problem is validation defects in the LG file system. Resource files in the LG sandbox keyboard package can be modified; and, the LG keyboard application provides executable permissions for library files downloaded with the .so extension. Thus, attackers who have gained MITM access through the first flaw can now inject executable files by simply adding the .so extension to library downloads.
Also, by changing the file.txt metadata file, the Engine.properties file can also be overwritten by a fake one.
“The LG keyboard contains the [library] shown in the Engine.properties configuration file at application startup, and the bad lib we have injected in the file will be loaded as soon as the keyboard process is restarted,” explained Check Point researcher Slava Makkaveev. , in an analysis. “Once we have successfully injected lib rouge in Engine.properties, all we have to do is wait for the application to restart and load the library.”
Vulnerability, which LG considers to be a weakness, is unique to LG devices. Surface threats are important: Korea’s giant telephone has around 16 percent market share in the US, according to Strategy Analytics.
The disadvantage of temporary general Android, which not only affects LG but other Android phones, is a critical vulnerability in the Media framework that can allow remote attackers to execute arbitrary code in the context of special processes, using specially created files.
LG released a patch for all of this in a security update in May.