'

LG resolves keyboard vulnerabilities which allow remote code execution attacks

The severe security flaws impact mainstream LG smartphones.

LG has issued a patch to resolve two security vulnerabilities in LG smartphone keyboards which can lead to remote code execution.

Several months ago, Check Point researchers uncovered two security flaws which impact the default keyboard system present in all current mainstream LG smartphone models.

When exploited, both vulnerabilities can be utilized to remotely execute code with elevated privileges on LG mobile devices, potentially leading to the theft of user and account information, session hijacking, and more.

The first vulnerability has been caused by the use of an insecure connection for a sensitive process.

LG keyboards support handwriting modes in multiple languages, and while English is defined as default, users are able to download and install additional language packages.

When users request a new language pack or for a language update, the system reaches out to a hardcoded server to retrieve language files. However, this download is made over an HTTP connection, which is far less secure than HTTPS and exposes users to Man-in-The-Middle (MiTM) attacks and network eavesdropping.

If the connection is tampered with, users may unwittingly download, install, and execute malicious packets and software in place of the request language file. Given such a pathway into a victim's mobile device, attackers have free reign to cause havoc, whether this is installing additional malware, keylogging, conducting surveillance, or stealing data.

The second vulnerability is a validation error in LG's file system. The location of a downloaded file on a disk is controlled by a MITM proxy and the location depends on metadata and file names.

According to the researchers, this organizational structure can be exploited and the name of a file treated as a location -- and modified as a result -- within the LG keyboard package sandbox.

"LG's keyboard application assumes that a native lib file can be part of a language pack and grants executable permissions for all downloaded files with extension .so," the researchers note. "So, if the metadata file is extended with a .so file, entry to the rogue lib file will be marked on the disk as executable."

Attackers can, therefore, trigger a rogue injectable file with the power of execution simply by changing the file extension.

See also: Mirai DDoS attack against KrebsOnSecurity cost device owners $300,000

"LG's keyboard loads the libs indicated in Engine.properties configuration file on the application's startup and the rogue lib we've injected inside the aforementioned file would be loaded as soon as the keyboard process restarts," Check Point says. "Once we manage to inject the rouge lib inside Engine.properties, all we need to do is wait for the application to restart and load the library."

The vulnerabilities only impact LG devices and were tested on LG flagship smartphone devices including the LG G4, LG G5, and LG G6.

Check Point privately disclosed its findings to LG and a patch has been released to resolve these security flaws in the LG May security update. Check Point's Slava Makkaveev was given credit for the findings.

In related news, earlier this month, LG's headquarters in Yeouido, South Korea, was raised by local law enforcement over alleged tax evasion. Prosecutors claim that up to $10 million in tax has been evaded through fraudulent share transactions.

Previous and related coverage