If you are an LG smartphone user, chances are you’re one of the potential victims of man-in-the-middle attacks. That is based on the findings by security researchers of Search-Lab in Hungary.
The vulnerability is said to enable attackers to supplant a malicious APK file into an LG device in place of a legitimate one due to the presence of built-in custom apps in the mobile devices. These custom apps, like other custom apps pre-loaded in other brands, have a unique method of updating that’s different from how Google Play transmit updates to Android apps.
What makes the update mechanism for the custom LG apps exposed to MITM attack is that it does not have the function to verify the security certificate that goes with the update sent by a server.
Read also: Many popular Android apps remain insecure, unencrypted
It is then possible for an attacker to install malicious applications in the victim’s mobile device since fresh applications or updates are sent in APK form with no extra verification process. Save for apps that need the system key’s signature, these random applications could be permitted and do away with Android’s security check in the process.
At the core of controlling the process is LG’s Update Center app, which connects with the lgcpm.com server when it begins to find new updates. By default, the apps that are found by Update Center are installed automatically, thus allowing an MITM attacker to intercept the link and install a malicious app in place of the intended app.
And when the client starts to locate the appUrl field, it brings in fresh applications. The appUrl field is encrypted with a symmetric encryption key, the researchers say. The attacker can then manipulate the update response and replace the appUrl with a random URL that leads to a malicious APK since the messages contain no security in whatever form.
What’s more troubling is that the mobile device can fetch the APK file that the attacker takes control of without the owner’s knowledge and that the process can take place in the background. That happens only when the Update Center considers an available LG application in a new version.
But instead of taking an across-the-board action, LG only said that it plans to respond to the vulnerability for some of its handsets only, not all that could have potentially been affected. That means current LG handsets would not get the fixes. But you can disable the auto update function on your LG in order to address the flaw by yourself.
David L says
The unsecured WiFi connection is not the only place a (man in the middle) attack cxan come from. All phones call home,and most do this over http,or unencrypted connections. With LG being in China,that means those connections are at risk of being intercepted by the tool called Great Cannon. This was used in the recent ddos attack on github. So this vulnerability is that much worse. Here is the research paper: https://citizenlab.org/2015/04/chinas-great-cannon/
And a quote from the report:
A technically simple change in the Great Cannon’s configuration, switching to operating on traffic from a specific IP address rather than to a specific address, would allow its operator to deliver malware to targeted individuals who communicates with any Chinese server not employing cryptographic protections.
I recommend anyone using Chinese hardware and or software read about this current threat.