Sign in / up

back to article LG won't fix malware slinging bloatware update hole

The the Budapest University of Technology and Economics' Security Evaluation and Research Laboratory (SEARCH-LAB) says "malicious attackers controlling the network are able to install arbitrary applications" on LG's Android phones, thanks to a flaw in their software update mechanism. The Lab says the flaw impacts "all Android …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. oneeye

    The REAL Danger is that LG is located in China!

    The fact that China can be that "man in the middle" attacker, makes this vuln a backdoor that Great Cannon could exploit at will. Remember the DDOS Attack on GitHub late March this year? If you go back and review all the vulns in Chinese hardware and software,you will see a consistent effort to leave an attack vector in many, many products. This is only the latest.

    0 16 Reply
    1. choleric
      Reply Icon
      Megaphone

      Re: The REAL Danger is that LG is located in China!

      So, oneeye, what part of Spain do you come from?

      LG is based in South Korea, not China!

      8 0 Reply
  2. Destroy All Monsters Silver badge

    Apply BDS policy...

    ...don't buy LG.

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Apply BDS policy...

      So applying that policy to all similar situations, are there any modern smartphones left on the market you can buy?

      0 0 Reply
      1. Destroy All Monsters Silver badge
        Reply Icon
        Coat

        Re: Apply BDS policy...

        No.

        (This might be why I don't have one...)

        1 0 Reply

  3. This post has been deleted by its author

  4. adam payne

    So they decide to not patch the issue, what are they going to do simply ignore the issue?

    It's their additional software that they have installed so they should be patching it.

    Surely a little inconvenience for LG is acceptable so that they can protect their customers.

    2 0 Reply
    1. Charles 9
      Reply Icon

      It's not a little inconvenience. It's a LOT of inconvenience since most of the firmwares have to be signed off by the network operators before they can be patched OTA (and if they want the phones to be sold in the carrier stores, they better the heck be signed off or else). That means getting in touch with hundreds of operators around the world, not all of which may be forthcoming. And let's not start on the handsets that are close to if not past EOL status.

      It WOULD be easier if LG could send this direct to the phones, but only Apple has the consumer pull to dictate terms. Everyone else as of now is beholden to the operators.

      0 0 Reply
      1. TeeCee Gold badge
        Reply Icon
        Coat

        Besides, the real reason is that if they did validate the server certificate, everyone's phone would throw errors each and every time they forgot to keep it up to date.

        0 0 Reply
  5. Wolfclaw

    Not Surprised

    LG not patching, not surprised, they and the carriers got your money and don't give a toss about supporting you, you want the hole fixed, upgrade the handset you'll hear them say. They leave any fixes to Google, to try and clean up the mess. Android is a good O/S but compared to IOS and WP it is too splintered and bastardised by companies and carriers all trying to be too clever and screwing it all up !

    9 0 Reply
    1. TeeCee Gold badge
      Reply Icon
      Meh

      Re: Not Surprised

      Hmm, it's not just third-parties buggering Android.

      The app update model is b0rken. When the new version of an app is cattle-trucked, you're left with an official choice of being stuffed or reverting to whatever antique version is sat in ROM[1]. Going back to last known working involves tracking down the .apk, turning on install from untrusted and doing it yourself.

      In a word, "maps". On my Ascend P6, versions since 8.x go titsup on invocation with a nasty library API error. Something to do with the "more opportunities for us to punt crap at you"[2] functionality that Google built in from 9 objecting to something in the Huawei build.

      [1] Of course, if it's an app you installed, rather than one supplied with the phone, your options are more limited....!

      [2] I can't see anything else in the release notes that differentiates 9 from 8. The Googly deafness on this one supports the idea that what's at fault is something that makes them cash and that they thus won't allow to be turned off.

      2 0 Reply
  6. Just Enough
    WTF?

    Who does this?

    "only installing updates over trusted WiFi connections."

    Seriously. Who installs anything on any device over a random WiFi connect they picked up in some public place? Apart from the security concerns, you don't want to be relying on the speed and uptime of some flaky connection for something so significant as an system update.

    Any install can wait until you're at work, or at home, surely?

    3 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Who does this?

      We're not talking system updates (not in the sense of an OS / OTA update). LGs updater is updating "system" APKs but not the whole system itself.

      Likely the updater kicks itself off intermittently as soon as it has a WiFi connection similar to the Play Store's default settings, so no need for user input. At least with the Play Store it does it over an encrypted connection and has signature checking.

      I'll never buy a phone with manufacturer junk on it for precisely this reason.

      1 0 Reply
      1. Charles 9
        Reply Icon

        Re: Who does this?

        The trouble is, to fix this problem you have to update the updater, creating a potential chicken-and-egg problem that apparently necessitates an OTA update to fix. Now, you'd think you can just install an updated version on top like you can with other system apps, but perhaps they're worried about exploited downgrading or some other security mechanism that only works if installed to /system.

        0 0 Reply
  7. Robert Carnegie Silver badge

    Surely possible

    Distributing a fix shouldn't be a problem because surely the Update Centre can update itself.. surely? If it can't, then what is it even for?

    Windows Update updates Windows Update without asking for the permission that I have to give for other updates.

    The Goodroid Playstore can update software on my handset, except for updating Android itself. But it can update the Playstore. It wasn't called that when I got the phone. I don't remember what it was called, or what it is called now. The point is, it changes. It's like owning a TARDIS - a Type Forty that is locked into bulky rectangular exterior format.

    Device-specific software also seems to be available in the Playstore, so, can't LG just use that for their software updates?

    3 0 Reply
    1. Charles 9
      Reply Icon

      Re: Surely possible

      I think the problem is the lack of certificate checking on the old version. Attempting to overlay the new version on top of the old (which is how system apps like Play Store get upgraded) still leaves the old, unsafe version in the ROM, leaving the potential to downgrade back to it by another exploit. There's also the potential of a rogue update since the certificates aren't checked. The only way to make a system update stick is to flash it directly into /system.

      0 0 Reply
  8. eJ2095

    Oh no i got a LG G3

    Oh wait i got custom ROM... with no Bloat..

    Thank you XDA ;-0

    1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like