A patch may become available by the end of the month

Jul 3, 2015 12:47 GMT  ·  By

Smartphones from LG that did not ship with Lollipop (Android 5.0) or did not receive an update to this release or above can be compromised via man-in-the-middle attacks by serving malicious app updates.

The vulnerability lies in the way Update Center, an LG app that handles updates on the phone, accepts update content.

Newer LG phones are not affected

Security researchers from Hungary-based Search-Lab found that, although Update Center relies on an encrypted connection to pull in new app versions, it does not check the legitimacy of the server pushing the content.

The security flaw was reported to LG on November 27, 2014, which replied that a fix would be implemented to new devices that would be launched in 2015 with Lollipop.

Some of the LG phones that arrived this year with Lollipop are G4, G4c, G4 Dual, G Stylo, G4 Stylus, Magna, Spirit, Leon, Joy and G Flex2.

However, a large LG userbase has older models, which continue to remain affected, like such as G3 or G2 Lite. In a response to our request for comments, a company representative said that LG would not abandon these users and is currently working on a patch for these phones, too.

Don't connect to untrusted Wi-Fi

“LG is committed to security in all our products and remains committed to providing a user experience that customers can trust,” the representative said via email, adding that the glitch was repaired in all devices running Android 5.0 or higher, and in these cases, Update Center requires certificate validation before installing an app.

“For pre-Lollipop LG smartphones, a software patch is currently being prepared and will be issued over the next several weeks starting this month,” the comment from the company continued.

Until a fix arrives, users with vulnerable devices can protect themselves by turning off automatic updates in Update Center and running the process manually only when connected to a trusted Wi-Fi network.