Security researchers at Search-Lab have discovered a vulnerability that exists on most LG phones which can potentially allow an attacker to replace an application (apk file) with a malicious file that could lead to potentially disastrous consequences.

The vulnerability

Like most hardware and phone manufacturers, LG pre-installs custom applications on its phones which are otherwise not available for download on Google’s Play Store. Since they’re pre-loaded onto the phones, the devices contain a separate update method that fundamentally relies on a connection to a LG server. This is required to download a new code and then update applications through LG’s Update Center application.

In researching the Update Center application, Search-Lab security researchers discovered that:

The Update Center app, when looking for updates for custom LG apps contacts the server at lgcpm.com.

The updating of applications through the Update Center app occurs even when the security certificate presented by the server is not validated. This makes the device vulnerable to man-in-the-middle attacks.

The updates installed automatically by default, which means that the connection could be hijacked by attackers who can then discretely replace the application with a malicious one.

“Since new applications and/or application upgrades are installed through this channel in APK form without the need for any additional confirmation from the user, a malicious attacker can abuse the functionality to install arbitrary applications into the victim smart phones.”

“These applications might use any permission (except the ones requiring signature by system key), effectively circumventing Android’s own platform security,” noted Imre Rad, a security explorer at Search-Lab.

Newer LG phones are spared

Labelled CVE-2015-4110, the vulnerability was reported to LG who then notified Search-Lab that models including the flagship LG G4 among other phones released this year aren’t vulnerable.

However, almost all older models are vulnerable. Releasing a patch for LG’s update center isn’t an easy task since LG would have to then run quality assurance procedures for all of their phones which would mean that mobile carriers would also be required to check the update. All of the above is mandatory before the update is finally pushed toward users’ phones.

“Since smart phone vendors need approval of carriers for every single application update and in this case most of LG’s products are affected; LG made a business decision and they don’t provide the fix for most of their customers, at least ‘for the time being’,” said Rad.

In the meantime, LG users are strongly advised to manually disable the ‘automatic update’ feature in LG’s Update Center. Furthermore, the installation of new apps is only recommended when the phone is connected to trusted Wi-Fi spots.