LG phones affected by Update Center security flaw

[D13H4RD]

There's a security flaw dug up by SEARCH-LAB, which found a potentially serious security flaw on LG's update center app installed on many LG devices, including LG's current flagship, the G4.

 

According to them,

 

"The Update Center application communicates with the host www.lgcpm.com through HTTPS. However, the SSL certificate of the server is not verified by the Update Center application at all, thus the connection can be hijacked by a man-in-the-middle attack.

Since new applications and/or application upgrades are installed through this channel in APK form without the need for any additional confirmation from the user, a malicious attacker can abuse the functionality to install arbitrary applications into the victim smart phones. These applications might use any permission (except the ones requiring signature by system key), effectively circumventing Android’s own platform security." 

 

There's no word on a fix yet from LG, other than a statement saying that they are considering a fix for newer models that run Android Lollipop.

 

Since there's no fix currently available, they recommend turning off auto-update in the LG Update Center app and only updating LG apps when in a secured and trusted network, like your home network.

 

Link to article: http://www.search-lab.hu/about-us/news/109-security-vulnerability-in-lg-s-update-center-application

[Castdeath97]

Another reminder of why bloat is bad.

[D13H4RD]

Another reminder of why bloat is bad.

Well, it's not really bloat. Just a calculator, clock and some basic stuff.

 

If you're running a custom ROM, you're fine.

[legend8887]

I have a G3.

[D13H4RD]

I have a G3.

If you're running the stock ROM, turn off auto-update and only update those apps in trusted and secured Wi-Fi hotspots, like your home.

 

It's a network security flaw that can only be done on unprotected networks.

[killertek78]

I never use open wifi, ever. I preach this to everyone I can at work/daily life. It is just bad. Wait till you get home, or get a better data plan. 

[Echodamus]

Daaaaaaaaaaaaaaaaaaaaaaaaaaaamnit. I just got my G4 yesterday. 

[Nineshadow]

Another reminder of why bloat is bad.

It's not bloat. The Update Center is just the OTA updating software for LG phones. It provides OS updates, as well as other LG application updates (calculator,calendar, remote, QuickMemo, radio and I think there's also a backup app).

[Castdeath97]

It's not bloat. The Update Center is just the OTA updating software for LG phones. It provides OS updates, as well as other LG application updates (calculator,calendar, remote, QuickMemo, radio and I think there's also a backup app).

I thought it was something else, I feel so smart today, it even says Update on its name....... 

[D13H4RD]

I never use open wifi, ever. I preach this to everyone I can at work/daily life. It is just bad. Wait till you get home, or get a better data plan. 

I always use LTE data, even if there's open Wi-Fi next to me.

 

I only buy stuff on the Play Store or any other store on secured, trusted networks, especially my home network. 

 

I never do that stuff on open Wi-Fi, because you never know what might happen.

[D13H4RD]

If you guys wanna know how, do the following (if you need to know)

 

1) Go to your device's Settings.

2) Go to "About Phone"

3) Tap "Update Center"

4) Tap "App Updates"

5) Tap the 3 dots on the top right to bring up the menu and tap "Settings"

6) Tap "Auto-update apps" and turn it off.