Select Page

  • Facebook
  • Twitter
  • LinkedIn
LG has a problem, and if you own an LG phone, you’ve got a problem too. The reason? LG phones come with an app called “Smart Notice” preloaded and activated on literally every phone the company makes.

This Smart Notice app is a handy feature, to be sure, but it comes with a critical flaw. Since it does not validate the information it displays, it opens the door for abuse. Notification “cards” can be forged by hackers. If a forged card is accepted by the user, it places a bit of Javascript on the phone that can be activated to launch phishing attacks, implement a denial of service attack, browse data held on the phone, and more.

Some examples of how this kind of attack can manifest include things like spoofing a favorite contact, which reminds you to keep in touch with friends, new contact suggestions, which recommends saving a caller’s number, callback reminders, birthday notifications, and other types of notifications.

Again, all the user has to do is accept and save the notification in order for the script to be successfully installed, so if a user gets a (spoofed) notification of someone’s birthday and isn’t paying attention before hitting save to load the date into their calendar, it’s quite easy for the hackers to gain access to the data stored on your phone.

The good news is that LG hasn’t taken news of the security issue lying down. The company has recently released an updated version of the app, which adds an authentication step to the notification feature, making spoofed cards far less likely to succeed, because un-authenticated data will never be displayed to the user in the first place. This is a critical update for all LG phone owners, so be sure to allow this one the next time you’re doing app updates on your device.