LG eliminates keyboard drawbacks in order to liquidate distant code execution attacks
The keyboards of LG smartphones have two security drawbacks, so, specialists discussed a patch to avoid distant execution of a code.
Recently investigators from Check Point discovered two security shortcomings the default keyboard system of up-to-date LG smartphone versions are influenced by.
Once exploited, hackers can use these two flaws to distantly execute code, and possessing specific authority of the devices, they are able to steal your sensitive information, session hijacking and a lot more.
The first flaw consists in the use of unreliable connection for some processes.
The keyboards of LG smartphones provide users with handwriting variants available in multiple languages. Since the default language is English, users are welcome to download other language versions.
If a user prompts for a new language version for the language updating, the service resorts to a hard-coding server in order to download a requested language pack. Unfortunately, this download is performed via an HTTP connection that is more insecure than HTTPS and exposes users to a risk of Man-in-The-Middle (MiTM) attacks and capturing of their information.
Moreover, users can unintentionally download different fraudulent programs instead of the required language. If you install additional malware, keylogging, etc., cybercriminals have free access to your personal information.
The second drawback consists in confirmation error in the file system of this phone. A MITM proxy has control over a downloaded file location, which, in its turn, is fully dependent on metadata and file names.
Researchers admitted that LG`s keyboard app considers its own lib file as a language pack component and gives permission to execute downloaded files with .so extension. If the metadata file has such type of extension, the disc will mark the malicious lib as executable one.
So, hackers can launch a malicious file by changing its extension.
Once the application is launched, LG`s keyboards downloads the libs specified in Engine.properties configuration file. Then the fraudulent lib the researchers have injected in the mentioned above file would be downloaded just when the keyboard restarting takes place.
These drawbacks affect only LG devices and specialists tested them on the best LG smartphones such as the LG G4, LG G5, and LG G6.