Researchers identified a number of possible attack vectors, including asking a victim to scan a QR code, or sending a fake contact via WhatsApp or MMS. Liran Segal and Shachar Korot, who discovered the vulnerability, say they contacted LG and the company responded quickly by updating Smart Notice with a patch. The onus is on G3 owners to install the update
The root cause for the security problem is the fact that Smart Notice does not validate the data presented to the users. Data can be taken from the phone contacts and manipulated. The attack can take place in several ways due to functionality issues of the Smart Notice application. The application pops notifications (named 'cards') in each of these scenarios:
Favorite contact notification – Recommends you keep in touch with favorite contacts.
New contact suggestion – Suggests saving a caller number.
Callback reminder – Reminder to callback a contact after declining the call.
Birthday notification – Reminder about contact birthday.
Memo reminder – Provides notifications about user memos.
The video below from BugSec Group shows how the vulnerability can be exploited: