LG's Update Center App Vulnerable To Man-In-The-Middle Cyberattacks

LG update center app

Owning a LG android device? You might be at great risk! A security vulnerability found in the LG's Update Center android application could be exploited by an attacker to perform man in the middle attacks.

An attacker who is able to put himself/herself in a position to intercept traffic from the vulnerable device can push malicious apps to users without raising suspicions.

LG’s Update Center app actually encrypts traffic, but it does not check the SSL/TLS certificate of the server (lgcpm.com) delivering the updates. That is, the vulnerable application accepts information from a different host.

The researchers who discovered the flaw last year, said via email, "Since new applications and/or application upgrades are installed through this channel in APK form without the need for any additional confirmation from the user, a malicious attacker can abuse the functionality to install arbitrary applications into the victim smart phones."

"These applications might use any permission (except the ones requiring signature by system key), effectively circumventing Android’s own platform security."

According to LG, the models launched this year with Android Lollipop, are not vulnerable.

Unfortunately, there is no patch available to fix the vulnerability.

To avoid exploitation, LG users are advised to disable the automatic updates feature in Update Center and install new apps only when connected to trusted Wi-Fi spots.

No comments

Powered by Blogger.