The Research team Check Point Research has discovered two vulnerabilities in pre-installed virtual keyboard flagship smartphones LG (LGEIME). Specialists Check Point confirmed the presence of vulnerabilities by testing the flagship device LG G4, LG G5, LG G6.
It is Reported that the discovered vulnerabilities could be used for remote code execution with elevated privileges on LG mobile devices. With their help it was possible to operate the keyboard, to use a Keylogger (keylogger), thereby to obtain access to confidential user data.
The First security error related to the function of handwriting. It turned out that to update the language of the interface device connects to an external server via insecure HTTP connection through which it was possible to carry out the attack type "man in the middle" (Man-in-the-middle, MITM). Such attack allows you to upload to the smartphone a malicious file is a legitimate language update.
The Second vulnerability relates to the location of the language file. Through the mechanism of "path traversal" hacker can change the file extension and introduce malware to the configuration file directory LG keyboard.
Researchers at Check Point and promptly announced the vulnerabilities found company LG, which has released a patch with the may security update. The company combines the detected vulnerabilities into a single — LVE-SMP-170025 and strongly recommends that you upgrade OS smartphone G series (G5, G6), V series (Q10, Q10, V8), X series (X300, X400, X500).