A serious vulnerability was previously discovered in many LG devices that let attackers use a flaw in the phone’s keyboard to remotely execute arbitrary code, and it seems that LG has now rolled a fix for that vulnerability into its May patch for Android devices. It is worth noting that the patch says that it’s only coming to the LG G5 and G6, members of the V series, Q series, and X series. This means a number of budget, offshoot LG devices and any G-series devices older than the LG G5 could be left out.
The security issue in question takes advantage of the trust that the keyboard puts in language packages and the relative insecurity of the HTTP protocol, still used to deliver LG keyboard language packs and updates as of this writing. The connection can easily be hijacked, which means attackers can feed a target device a fake update or package injected with malicious code. The keyboard does not check the pack for any discrepancies or known bad code, and simply allows it to be run. The issue comes in when the compromised language pack is given native application privileges at the system level. Even within the keyboard program’s sandbox, it can still access some system files and execute a small set of pre-programmed commands. If this list of commands is compromised through a fake language pack, attackers could reasonably open up a channel to a control server and download a more complete suite of malicious software, or simply load whatever code they want into the rogue language pack.
This security patch from LG features this fix as the key selling point, but also fixes a large number of potential security issues pertaining to the Android core and to Qualcomm devices, thanks to contributions from Google. The patch is, after all, built upon the May 1 Android Security Bulletin from Google, and simply customized for LG devices with a few fixes and bits of code added in. The keyboard fix only applies to LG devices, so it won’t be making its way upstream to the AOSP security patch level.