Tablet Buying Demystified: 10 Tips

A vulnerability in an application installed by default on LG mobile devices that run the Android operating system can be exploited by an attacker to remotely compromise the device.

That warning was issued this week by security researcher Justin Case, who discovered vulnerabilities in backup and recovery software called Sprite Backup, which counts 17 million Android users.

More than 40 devices are affected, including Optimus G Pro smartphones -- the company's fastest-selling smartphone ever -- as well as various models of the Mach, Prada, Optimus LTE 3 and 3D Cube, among other devices. Smartphones manufactured by other handset makers may also be at risk.

[ Are there other issues with Android software? Read Adware Sneaks Onto Android Smartphones. ]

The vulnerability involves two Sprite Backup components: spritebud and backup. "'Backup' and 'spritebud' are a setting and application backup/restore system written by Sprite Software and deployed on LG Android smartphones," according to Case's initial vulnerability announcement. "'Backup' is the end user front end app, and 'spritebud' is the service that [performs] the backup and restore functions."

Case said that "an odd binary in an update" for spritebud lead to his discovering the vulnerability, which has been classified as CVE-2013-3685. The bug stems from a race condition, which refers to two or more processes having access to the same variable at the same time. In this case, spritebud -- which runs with root user permissions -- monitors the Unix socket, and accepts any instructions sent by the backup app.

Case's attack exploits that monitoring arrangement. "Using a [specially] crafted backup, we can write to, change permission and change ownership of any file, being that 'spritebud' is running under the root user," he said. "Under specific circumstances, it is possible to exploit this vulnerability without the device user's knowledge."

Via Github, Case published full details of the attack Monday, including a working proof-of-concept exploit. "I crafted a backup that when it restores, creates a lag long enough for my app to set up a symlink, or shortcut. When the first file restores, it creates a directory and writes a 50 MB file to increase the lag," he said. "Then it dumps another script that roots the device and executes script in the kernel for me."

Currently, the attack only works for someone who has local access to the phone, and requires initiating a restore. The threat, however, is that an attacker could find a way to remotely exploit the vulnerability. "Any issue that allows one to escalate to root is a problem," Jeff Forristal, CTO of mobile security firm Bluebox, told Threatpost. "The fact that is an LG-specific issue points to the vulnerabilities that can be introduced by device partners working with the AOSP [Android Open Source Project]."

The vulnerability affects backup version 2.5.4105 and spritebud version 1.3.24.

Case said he's notified all of the vendors involved, although said the process wasn't smooth. "This one has been disclosed to LG, Google and Sprite Software, and Sprite has confirmed a fix, but no ETA on a public fix," Case said. "While LG did acknowledge this one (took 13 days), they still refuse to acknowledge the far more serious vulnerabilities reported to them.

"LG's and Sprite Software's security practices and responses have much to be desired," he said.

Officials at LG in South Korea, and Sprite -- which is based in New Zealand -- didn't immediately respond to emailed requests for comment about the vulnerability, or Case's criticism of their security response. The most recent version of the Sprite Backup software for Android was released on Feb. 19, 2013.

This isn't the first time that vulnerabilities have been discovered in Android devices stemming from software installed by handset manufacturers. Notably, researchers have found that some types of Android smartphones are more vulnerable to attack, precisely because of the add-on software and skins installed by handset makers, which run the gamut from useful add-ons to buggy bloatware.

Such security problems can be compounded by the slow speed with which many handset manufacturers -- including LG -- release smartphone patches. Notably, some manufacturers cease to support devices that are more than 12 months old.

The widespread lack of security updates for Android devices led the American Civil Liberties Union (ACLU) to file a complaint with the Federal Trade Commission (FTC) in April, urging the agency to investigate the country's four major wireless carriers -- AT&T, Sprint Nextel, T-Mobile USA and Verizon Wireless. The ACLU also urged the FTC to allow consumers to return any device for a full refund up to two years after it had been purchased, if their carrier wasn't issuing timely security updates.

That complaint followed handset maker HTC settling with the FTC in February, after the agency charged HTC with failing "to take reasonable steps to secure the software it developed for its smartphones and tablet computers [and] introducing security flaws that placed sensitive information about millions of consumers at risk."

In particular, the agency accused HTC of insecurely implementing two logging applications -- Carrier IQ and HTC Loggers -- installed by default on all of its devices, as well as committing programming errors that undermined the Android security model. In response, HTC agreed to revamp its security program and undergo regular information security audits for the next 20 years.