Many smartphones manufactured by LG contain a vulnerability that can allow an attacker to replace an APK file with a malicious file of his choice. Researchers at Search-Lab in Hungary found that the update process for these apps does not validate the security certificate presented by the server on the other end, opening users up to man-in-the-middle attacks. LG plans to fix the bug only in new handsets and won’t push a fix to existing phones. LG officials said they are looking into the details of the report.
Source: https://threatpost.com/researcher-says-lg-app-update-mechanism-doesnt-verify-ssl-cert/113522/