The vulnerability is that the Messaging (com.android.mms) app patched by LG forwards attacker-controlled intents back to the attacker in the exported com.android.mms.ui.QClipIntentReceiverActivity activity. The attacker can abuse this functionality by launching this activity and then sending a broadcast with the com.lge.message.action.QCLIP action. The attacker can send, e.g., their own data/clipdata and set Intent.FLAG_GRANT_* flags. After the attacker received that intent in the onActivityResult() method, they would have access to arbitrary content providers that have the android:grantUriPermissions=true flag set.
The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Android | 12.0 (including) | 13.0 (including) |
The attacks and consequences of improperly exporting a component may depend on the exported component: