Security vulnerability in LG’s Update Center application

SEARCH-LAB Ltd discovered another security issue threatening LG Smart Phone users: malicious attackers controlling the network are able to install arbitrary applications on victim handsets.

Most smart phone vendors ship their handsets with custom applications developed by them. These applications are usually not available in Google’s Play Store – they are installed and updated through the vendor’s own app store platform. In case of LG, such custom applications are managed by the “Update Center” app; in addition to functioning as an app store, the Update Center is also responsible for periodically checking whether any updates are available for applications developed by LG.

The Update Center application communicates with the host through HTTPS. However, the SSL certificate of the server is not verified by the Update Center application at all, thus the connection can be hijacked by a man-in-the-middle attack.

Since new applications and/or application upgrades are installed through this channel in APK form without the need for any additional confirmation from the user, a malicious attacker can abuse the functionality to install arbitrary applications into the victim smart phones. These applications might use any permission (except the ones requiring signature by system key), effectively circumventing Android’s own platform security.

SEARCH-LAB Ltd discovered this vulnerability in November, 2014 and disclosed the technical details to the manufacturer. LG answered, that they were considering the fix for newly launched models only (aka the ones which are coming with Android L) .

According to the current state, all Android based LG Smart Phones are affected by this exploitable vulnerability today and remain exposed according to LG’s plans.

Some technical details (CVE-2015-4110): the web service running on expects and responds with JSON encoded data. When fetching new applications, the client looks for the "appUrl" field, which holds a base64 encoded, encrypted URL. The encryption key is symmetric, it is based on the certKey field, which is part of the same message. Since there is no integrity protection applied to the messages, an attacker can intercept the update response and replace the value of appUrl with any arbitrary URL pointing to a potentially malicious APK. This way the handset fetches the APK file controlled by the attacker without the user’s knowledge. This can even occur in the background, when the Update Center believes that a new version of an LG application is available. Additionally, LG Smart Phones are configured to automatically install new updates by default when they are available.

Since no fix will be available for this issue due to business decisions made by LG, we recommend turning off “Auto app update” and use Update Center application to update or install any apps on trusted Wi-Fi networks only.