LG vuln leaves Android phones wide open; no plan for patch: researchers

Vendor intends to fix auto-update flaw only in new Lollipop handsets

Tags: LG ElectronicsSouth Korea
  • E-Mail
LG vuln leaves Android phones wide open; no plan for patch: researchers The flaw resides on all Android-based LG smartphones and there is no plan to fix the bug in existing handsets.
By  Stephen McBride Published  July 2, 2015

LG smartphone users are vulnerable to malware through a flaw in the vendor's pre-loaded Update Centre app, according to Hungarian security researchers.

Update Centre is used by LG to update software features on its handsets that cannot be downloaded from Google Play.

The Security Evaluation and Research Laboratory (SEARCH-LAB), attached to the Budapest University of Technology and Economics, said in a blog post that the flaw was present on "all Android-based LG smartphones" and allowed "malicious attackers controlling the network are able to install arbitrary applications on victim handsets".

SEARCH-LAB said it informed LG of the vulnerability in November 2014, but the company said it would only roll out fixes in Android Lollipop phones.

When communicating with an LG remote host, Update Centre receives JSON (JavaScript Object Notation)-encoded data in response, but the flaw allows malicious actors to intercept the data and replace the contents of a field containing a URL, with any URL they wish. This means the attacker can direct the handset to download any application in the background without any warning given to the end-user.

"Since no fix will be available for this issue due to business decisions made by LG, we recommend turning off ‘Auto app update' and [using the] Update Center application to update or install any apps on trusted Wi-Fi networks only," SEARCH-LAB said in its blog.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code