If you are an LG smartphone user, chances are you’re one of the potential victims of man-in-the-middle attacks. That is based on the findings by security researchers of Search-Lab in Hungary.
The vulnerability is said to enable attackers to supplant a malicious APK file into an LG device in place of a legitimate one due to the presence of built-in custom apps in the mobile devices. These custom apps, like other custom apps pre-loaded in other brands, have a unique method of updating that’s different from how Google Play transmit updates to Android apps.
What makes the update mechanism for the custom LG apps exposed to MITM attack is that it does not have the function to verify the security certificate that goes with the update sent by a server.
It is then possible for an attacker to install malicious applications in the victim’s mobile device since fresh applications or updates are sent in APK form with no extra verification process. Save for apps that need the system key’s signature, these random applications could be permitted and do away with Android’s security check in the process.
At the core of controlling the process is LG’s Update Center app, which connects with the lgcpm.com server when it begins to find new updates. By default, the apps that are found by Update Center are installed automatically, thus allowing an MITM attacker to intercept the link and install a malicious app in place of the intended app.
And when the client starts to locate the appUrl field, it brings in fresh applications. The appUrl field is encrypted with a symmetric encryption key, the researchers say. The attacker can then manipulate the update response and replace the appUrl with a random URL that leads to a malicious APK since the messages contain no security in whatever form.
What’s more troubling is that the mobile device can fetch the APK file that the attacker takes control of without the owner’s knowledge and that the process can take place in the background. That happens only when the Update Center considers an available LG application in a new version.
But instead of taking an across-the-board action, LG only said that it plans to respond to the vulnerability for some of its handsets only, not all that could have potentially been affected. That means current LG handsets would not get the fixes. But you can disable the auto update function on your LG in order to address the flaw by yourself.