Information

LG World (com.lge.lgworld) built-in app downloads self-updating APK file to the public accessible storage and does not verify a signature. An attacker can overwrite the file and install an arbitrary app.

LVE-SMP-170026



References:
https://lgsecurity.lge.com/security_updates.html
https://thehackernews.com/2018/08/man-in-the-disk-android-hack.html