LG won't fix malware slinging bloatware update hole

The the Budapest University of Technology and Economics' Security Evaluation and Research Laboratory (SEARCH-LAB) says "malicious attackers controlling the network are able to install arbitrary applications" on LG's Android phones, thanks to a flaw in their software update mechanism.

The Lab says the flaw impacts "all Android based LG Smart Phones", thanks to the "Update Centre" LG installs on its hardware to handle upgrades to the non-standard apps it uses to pollute handsets with bloatware add value in a crowded market. SEARCH-LAB says it informed LG of the flaw in November 2014.

"The Update Center application communicates with the host www.lgcpm.com through HTTPS," the SEARCH-LAB team write. "However, the SSL certificate of the server is not verified by the Update Center application at all, thus the connection can be hijacked by a man-in-the-middle attack."

LG has been contacted for comment.

SEACRH-LAB chap Imre Rad One told LIFARS, LG's decision not to quickly release a fix is probably down to the fact that an update to Update Centre would require an OS re-install on many handsets. That, Rad suggests, would mean all manner of chit-chat with carriers and hassle.

It may not be unreasonable to avoid that hassle, because to exploit the flaw attackers have to control a wifi network or operate on an open network in order to intercept the update process.

Rad therefore thinks LG "made a business decision" not to provide a patch "at least for the time being.

LG users can defend themselves by disabling the automatic update feature and only installing updates over trusted WiFi connections.

Or they could give the entire update process the boot and root their devices to install supported third-party ROMs such as Cyanogen. ®