Malicious JavaScript could be entered into a contact form LG has patched a security flaw in an application preinstalled on millions of its Android G3 smartphones that researchers found could be used to steal a variety of data.The application, called Smart Notice, is a kind of multifunctional widget, managing contacts, notifications, and weather and traffic alerts.Researchers from BugSec and Cynet, two computer security companies, found that they could attack a person’s phone by sending them a contact with malicious JavaScript contained in the name field, according to a video.Once the code was on the phone, any information stored on its SD card, such as private images and chat logs, could be stolen. “The root cause for the security problem is the fact that Smart Notice does not validate the data presented to the users,” BugSec and Cynet wrote in a blog post on Thursday.The researchers found a variety of ways to trigger their malicious code and carry out actions, such as opening a phishing site that tries to steal a person’s Gmail credentials or prompt a person to download a remote access trojan. “With a little tweak, we were able to load external scripts from a remote host and ‘refresh’ our code every few seconds, giving us the ability to have active command and control over the LG phone and send new payloads,” the companies wrote.It was also possible to conduct a denial-of-service attack that could only be stopped by doing a hard reset of the phone, they wrote. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe