On one of the two vulnerabilities, the Smartphones can be damaged permanently. LG has already released updates, which fill the gaps.
LG has addressed two vulnerabilities in its firmware for Android smartphones. One of the two holes located in a LG’s proprietary process with system privileges that is insufficiently protected and allows therefore any apps to change the IMEI and MAC addresses, delete all data on the
device and even permanently damage it. The second gap is located in the code for the WAP-push Protocol and allow attackers to send fake SMS messages to the device, or to manipulate messages on the Smartphone.
Two vulnerability in one fell swoop
The gap, which pertains to the LG-process LGATCMDService (CVE-2016-3117) can be used only locally. An attacker must have already malicious code on the device – about a fake app installed on the device the user under pretenses. This app can then extend the own rights with the help of the LG process and lock around the device of the victim, and demand a ransom.
Manipulation of the WAP push vulnerability (CVE-2016-2035) to run attacker remotely. To do this they need to know the phone number of the target probably and it is possible no direct execution of malicious code. However a link can be pushed under the user, which loads when you click attack code on the net.
Update is available
The two gaps were announced by the security firm check point LayerOne conference in Los Angeles public. LG has been informed beforehand and has issued updates. Users of LG Smartphones should ensure that their software up to date is.