If you own any of more than 40 different Android smartphones from LG, you might want to a pay attention. A vulnerability has been discovered that could effectively allow a hacker to compromise your device remotely.
The security exploit was found in the Sprite Backup software that is pre-loaded on several LG Android smartphones, including the Optimus G Pro, the Mach, Prada, Optimus LTE 3 and the 3D Cube. Security researcher Justin Case (is that his real name?) found an “odd binary in an update” in the spritebud backend of that backup solution. In effect, spritebud has root access to the device and with the right crafted backup, “we can write to, change permission and change ownership of any file.”
To demonstrate the attack, Case created a backup that when a “restore” command is initiated, an extra directory and 50MB file are written to the phone. This creates a lag, opening up a window of opportunity to dump “another script that roots the device and executes the script in the kernel.” The vulnerability affects backup version 2.5.4105 and spritebud 1.3.24.
Sprite Backup has acknolwedged the vulnerability and are working on a fix, but no specific timeline has been announced.