Attacker can push malicious apps as part of update routine

Jun 29, 2015 11:36 GMT  ·  By

A security vulnerability found in the Update Center application for Android available in most LG smartphones could be exploited by an attacker to push malicious apps to users without raising suspicions.

To compromise an LG handset, the threat actor needs to be in a position to intercept traffic from the vulnerable device, something that is called a man-in-the-middle (MitM) attack and is not difficult to achieve.

LG’s Update Center is a proprietary app that does not receive new versions via Google Play, but straight from a company server. The communication with the terminal is encrypted, which should prevent a MitM risk because the attacker would not be able to see the traffic exchanged.

Apart from traffic encryption, the source needs to be verified by checking its SSL/TLS certificate before accepting data from it, to make sure that the device communicates with a legitimate machine.

Rogue apps could be installed invisibly to the user

Security researchers from Hungary-based Search-Lab discovered last year that, although LG’s Update Center app encrypts traffic, it does not check the SSL/TLS certificate of the server (lgcpm.com) delivering the updates, thus accepting information from a different host.

“Since new applications and/or application upgrades are installed through this channel in APK form without the need for any additional confirmation from the user, a malicious attacker can abuse the functionality to install arbitrary applications into the victim smart phones. These applications might use any permission (except the ones requiring signature by system key), effectively circumventing Android’s own platform security,” said via email Imre Rad, security explorer at Search-Lab.

Rad explained that in lack of integrity protection measures for the message exchange, the attacker can intercept the response for LG’s Update Center and replace the URL for downloading the requested app with one for malicious software.

The entire process can even take place in the background, without the user suspecting anything. Furthermore, Rad says that the default configuration of LG smartphones installs app updates automatically, as soon as they are available.

Newer LG phones should not be affected

The vulnerability, identified as CVE-2015-4110, was reported to LG on November 27, 2014, and the company replied on December 3, 2014, that it was “considering the fix for newly launched models with L OS [Android Lollipop] next year,” arrived on December 17, 2014.

Among the models launched this year with Android Lollipop, there are G4, G4c, G4 Dual, G Stylo, G4 Stylus, Magna, Spirit, Leon, Joy and G Flex2. As per LG’s response to Search-Lab, these should not be vulnerable.

However, most, if not all of the older models may be affected. Rad told Softpedia that Search-Lab’s tests included the LG G1, G2 and G3 (running the latest OS version available for them), all being vulnerable to CVE-2015-4110.

The last two of them were tested about a month ago, while in the case of LG G1 the evaluation was repeated recently and researchers found no change in the protocol or the Update Center app.

We contacted LG for a comment on the matter but a reply had not been received at the moment of publishing this article.

Rolling out a patch for LG’s Update Center is not an easy task because the developer would have to run quality assurance procedures for all phones and the update would also have to be checked by mobile carriers and then pushed to users.

To keep safe from malicious activity, LG users are advised to disable the automatic updates feature in Update Center and install new apps only when connected to trusted Wi-Fi spots.

[UPDATE, July 3]: We received an answer from LG saying that the company is currently working on a patch for older models, to be "issued over the next several weeks starting this month."