CVE-2016-10135 Lg CVE debrief

Who should care

Security teams supporting affected LG and related Android devices, mobile device administrators, app developers on impacted devices, and users who may have installed untrusted apps should care. The issue is most relevant where devices run one of the affected MTKLogger-enabled builds and apps may have READ_EXTERNAL_STORAGE or otherwise access shared storage.

Technical summary

The vulnerability is caused by Android components in com.mediatek.mtklogger being exported unintentionally. Because the components are reachable through intents and lack a custom permission boundary, any local application can communicate with them. The exposed logging functions can start or stop GPS, modem, network, and mobile logs. The logs are written below /sdcard/mtklog, so they may be accessible to apps with storage permissions. The data described in the record includes GPS coordinates with timestamps, modem AT-command traces that may reveal call and SMS metadata, a tcpdump-style network capture, and Android log content.

Defensive priority

Medium. This is a local, on-device confidentiality issue rather than a remote code execution flaw, but it can expose sensitive location, communications, and network data. Prioritize it for fleets that permit third-party apps, handle sensitive user data, or rely on impacted LG/MTK device builds.

Recommended defensive actions

• Check whether any deployed LG or affected partner devices run the impacted Android builds listed in the advisory and NVD record.
• Review the MTKLogger package com.mediatek.mtklogger for exported components and confirm whether vendor patches or configuration updates are available.
• Restrict installation of untrusted apps on affected devices and minimize app permissions, especially storage access.
• Monitor or limit access to /sdcard/mtklog where feasible, and treat the contents as sensitive diagnostic data.
• Apply vendor security updates referenced by LG when available and verify whether they disable exposure of the MTKLogger components.
• For fleet management, inventory affected device models and OS versions so remediation can be targeted quickly.

Evidence notes

This debrief is based on the NVD record for CVE-2016-10135, which lists LG Android versions 5.0, 5.1, 6.0, 6.0.1, and 7.0 as vulnerable, identifies CWE-200, and provides the CVSS vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The CVE description states that the MTKLogger components are exported by default and accessible to third-party apps, and that the logs stored under /sdcard/mtklog can expose GPS, modem, network, and mobile log data. The record references the LG security updates page as a vendor advisory and a SecurityFocus BID entry.

Official resources