LG Will Not Close Gaping Security Hole In Smartphones

Since November, LG knows that all of its Android mobile phones easily infect settle with spy software. But eliminate one wants the problem apparently only for the new models, Hungarian researchers report.

Researchers of the Budapest University of technology and economics have established that LGs Android phones have a dangerous security problem, the attacker can download any malicious code and spying apps on the phone. You have informed the manufacturer, but LG will fix this problem appears only in new devices.

Update mechanism

The gap is therefore found in the update mechanism of LG mobile phones. By default, the in-house Update Center app regularly check whether updated software versions are available and installs it automatically. This communication via TLS is encrypted to prevent misuse.

But the app doesn’t control whether she even really speaks to the correct server, the spin off company SearchLab. So, a so called man-in-the-Middle can intercept these communications in a wireless network and manipulate. He replaced a response from the server with a reference to a spy app, the attacked mobile installs it without asking.

Permanent threat

All LG phones with Android are affected according to the discoverer of search-lab. They have already informed the manufacturer in November 2014 about the problem. The wool to fix it but only for the new models with Android L, they noted in their report security vulnerability in LG’s Update Center application.

Since the update checks regularly happen in the background, LG mobile phones are permanently at risk. To protect themselves, only the option to turn off the auto-update and start the update only in trusted networks of hand remain users of LG phones. This leaves of course, still room for attacks by attackers with access to the network infrastructure, such as employees of provider, intelligence services or law enforcement officers. (ju)