LG vuln leaves Android phones wide open; no plan for patch: researchers
Vendor intends to fix auto-update flaw only in new Lollipop handsets
LG smartphone users are vulnerable to malware through a flaw in the vendor's pre-loaded Update Centre app, according to Hungarian security researchers.
Update Centre is used by LG to update software features on its handsets that cannot be downloaded from Google Play.
The Security Evaluation and Research Laboratory (SEARCH-LAB), attached to the Budapest University of Technology and Economics, said in a blog post that the flaw was present on "all Android-based LG smartphones" and allowed "malicious attackers controlling the network are able to install arbitrary applications on victim handsets".
SEARCH-LAB said it informed LG of the vulnerability in November 2014, but the company said it would only roll out fixes in Android Lollipop phones.
"Since no fix will be available for this issue due to business decisions made by LG, we recommend turning off ‘Auto app update' and [using the] Update Center application to update or install any apps on trusted Wi-Fi networks only," SEARCH-LAB said in its blog.