Modern Android smartphones from multiple vendors, including Samsung, Huawei, LG, and Sony are susceptible to clever SMS phishing attack that allows bad actors to trick users into accepting malicious phone settings for their devices that are disguised as innocuous network configuration updates.
The spoofing attack uncovered by researchers from cybersecurity firm Check Point Research relies on a process called over-the-air (OTA) provisioning, which is normally used by cellular network operators to deploy network-specific settings to a new phone joining their network. This method can be used by malicious actors to intercept all email or web traffic to and from Android phones using specially-crafted bogus SMS messages.
“In these attacks, a remote agent can trick users into accepting new phone settings that, for example, route all their Internet traffic through a proxy controlled by the attacker,” wrote the researchers.
The experts pointed out that the industry standard for OTA provisioning, Open Mobile Alliance Client Provisioning (OMA CP) implements limited authentication methods. This means that the protocol doesn’t allow a recipient to verify the origin of the provisioning setting messages.
OMA CP allows changing the following settings over-the-air:
MMS message server
Browser homepage and bookmarks
Directory servers for synchronizing contacts and calendar and more
To conduct the attack an attacker needs to be equipped with a GSM modem (either a $10 USB dongle, or a phone operating in modem mode), which is used to send binary SMS messages, and a simple script or off-the-shelf software, to compose the OMA CP.
Samsung phones are particularly defenseless against this attack because they allow unauthenticated OMA CP messages.
“If the attacker is able to obtain the International Mobile Subscriber Identity (IMSI) numbers of potential victims using Huawei, LG or Sony phones, he can mount a phishing attack as effective as the one against Samsung phone users,” said the experts.
If the IMSI number can not be obtained, the attacker can send two messages - one is a text message purporting to be from the victim’s network operator asking to accept a PIN-protected OMA CP, and the second message is an OMA CP message authenticated with the same PIN.
“Such CP can be installed regardless of the IMSI, provided that the victim accepts the CP and enters the correct PIN,” explained Check Point.
Check Point privately notified all affected companies about its findings in March, all vendors with the exception of Sony have issued patches or are planning to fix the vulnerability in upcoming releases. Samsung addressed the flaw in its May security update (SVE-2019-14073), while LG fixed it in July (LVE-SMP-190006). As for Sony, the company refused to acknowledge the vulnerability, stating that their devices follow the OMA CP specification, the report said.