Researchers identified a number of possible attack vectors, including asking a victim to scan a QR code, or sending a fake contact via WhatsApp or MMS. Liran Segal and Shachar Korot, who discovered the vulnerability, say they contacted LG and the company responded quickly by updating Smart Notice with a patch. The onus is on G3 owners to install the update
In a blog post, Cynet says: "The root cause for the security problem is the fact that Smart Notice does not validate the data presented to the users. Data can be taken from the phone contacts and manipulated. The attack can take place in several ways due to functionality issues of the Smart Notice application. The application pops notifications (named 'cards') in each of these scenarios:
- Favourite contact notification – Recommends you keep in touch with favourite contacts.
- New contact suggestion – Suggests saving a caller number.
- Callback reminder – Reminder to callback a contact after declining the call.
- Birthday notification – Reminder about contact birthday.
- Memo reminder – Provides notifications about user memos."
The video above from BugSec Group shows how the vulnerability can be exploited.