Show vulnerabilities with patch / with exploit
5 September 2019

Millions of Android devices vulnerable to advanced SMS phishing attack


Millions of Android devices vulnerable to advanced SMS phishing attack

Modern Android smartphones from multiple vendors, including Samsung, Huawei, LG, and Sony are susceptible to clever SMS phishing attack that allows bad actors to trick users into accepting malicious phone settings for their devices that are disguised as innocuous network configuration updates.

The spoofing attack uncovered by researchers from cybersecurity firm Check Point Research relies on a process called over-the-air (OTA) provisioning, which is normally used by cellular network operators to deploy network-specific settings to a new phone joining their network. This method can be used by malicious actors to intercept all email or web traffic to and from Android phones using specially-crafted bogus SMS messages.

“In these attacks, a remote agent can trick users into accepting new phone settings that, for example, route all their Internet traffic through a proxy controlled by the attacker,” wrote the researchers.

The experts pointed out that the industry standard for OTA provisioning, Open Mobile Alliance Client Provisioning (OMA CP) implements limited authentication methods. This means that the protocol doesn’t allow a recipient to verify the origin of the provisioning setting messages.

OMA CP allows changing the following settings over-the-air:

  • MMS message server

  • Proxy address

  • Browser homepage and bookmarks

  • Mail server

  • Directory servers for synchronizing contacts and calendar and more

To conduct the attack an attacker needs to be equipped with a GSM modem (either a $10 USB dongle, or a phone operating in modem mode), which is used to send binary SMS messages, and a simple script or off-the-shelf software, to compose the OMA CP.

Samsung phones are particularly defenseless against this attack because they allow unauthenticated OMA CP messages.

“If the attacker is able to obtain the International Mobile Subscriber Identity (IMSI) numbers of potential victims using Huawei, LG or Sony phones, he can mount a phishing attack as effective as the one against Samsung phone users,” said the experts.

If the IMSI number can not be obtained, the attacker can send two messages - one is a text message purporting to be from the victim’s network operator asking to accept a PIN-protected OMA CP, and the second message is an OMA CP message authenticated with the same PIN.

“Such CP can be installed regardless of the IMSI, provided that the victim accepts the CP and enters the correct PIN,” explained Check Point.

Check Point privately notified all affected companies about its findings in March, all vendors with the exception of Sony have issued patches or are planning to fix the vulnerability in upcoming releases. Samsung addressed the flaw in its May security update (SVE-2019-14073), while LG fixed it in July (LVE-SMP-190006). As for Sony, the company refused to acknowledge the vulnerability, stating that their devices follow the OMA CP specification, the report said.

Back to the list

Latest Posts

Ventilator manufacturer Boyce Technologies hit by DoppelPaymer ransomware attack amid COVID-19 pandemic

Ventilator manufacturer Boyce Technologies hit by DoppelPaymer ransomware attack amid COVID-19 pandemic

The hackers are threatening to release the stolen information if an undisclosed crypto ransom is not paid by the firm.
10 August 2020
20 GB of confidential Intel documents and specifications leaked online

20 GB of confidential Intel documents and specifications leaked online

The leaked database contains Intel files that are subject to a non-disclosure agreement.
7 August 2020
Vulnerabilities in Gmail and iCloud allow hiding the sender

Vulnerabilities in Gmail and iCloud allow hiding the sender

Manipulating email header fields allows for various types of attacks to deceive the addressee.
6 August 2020