The software electronics manufacturer LG used to update smartphone apps not check the server's SSL certificate that provides the updates, allowing users vulnerable to man-in-the-middle attacks and silently apps can be on the phone installed.
It reports the Hungarian security Search Labs . The problem is in the LG Update Center app. This app acts as an app store and allows users to download all kinds of apps. These apps are managed through the Update Center app, which also checks for available updates. To see if any updates are available makes the app via HTTPS connection www.lgcpm.com . However, the SSL certificate is not checked.
An attacker who is between the user and the Internet is just to catch the request of the Update Center app, and can then specify a different location to download the update. Since updating via APK files is done which there is no further permission or user interaction is required, an attacker can thus silently install malicious APK files on the phone of the target. These malicious apps can use any permission except the permissions must be signed with the key system.
According to the researchers, the entire process can take place in the background without the user suspecting anything. LG smartphones have also been configured to automatically install updates as they become available. The problem was reported to LG last November. The company said researchers know that for newer models with Android Lollipop, an update would consider. However, the updates must still appear.
"At the moment all LG Android-based smartphones are vulnerable to this attack and will continue to plans by LG," write the researchers. They argue that because LG "business interests" No updates will bring. LG users who want to protect themselves are advised to "Auto app update" disable and use the Update Center app only reliable Wi-Fi networks to install apps or update.