Story image

Security flaw left Android phones open to SMS phishing attacks found

10 Sep 2019
Twitter
Facebook

Check Point Research has revealed a security flaw in Samsung, Huawei, LG, Sony and other Android-based phones that leaves users vulnerable to advanced phishing attacks.

The affected Android phones use over-the-air (OTA) provisioning, through which cellular network operators can deploy network-specific settings to a new phone joining their network. 

However, Check Point Research found that the industry standard for OTA provisioning, the Open Mobile Alliance Client Provisioning (OMA CP), includes limited authentication methods. 

Remote agents can exploit this to pose as network operators and send deceptive OMA CP messages to users. 

The message tricks users into accepting malicious settings that, for example, route their Internet traffic through a proxy server owned by the hacker.

Researchers determined that certain Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of OMA CP messages. 

The user only needs to accept the CP and the malicious software will be installed without the sender needing to prove their identity.

Huawei, LG, and Sony phones do have a form of authentication, but hackers only need the International Mobile Subscriber Identity (IMSI) of the recipient to ‘confirm’ their identity. 

Attackers can obtain a victim’s IMSI in a variety of ways, including creating a rogue Android app that reads a phone’s IMSI once it is installed. 

The attacker can also bypass the need for an IMSI by sending the user a text message posing as the network operator and asking them to accept a pin-protected OMA CP message.

If the user then enters the provided PIN number and accepts the OMA CP message, the CP can be installed without an IMSI.

“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” says Check Point Software Technologies security researcher Slava Makkaveev. 

“Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning. 

“When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone.”

The researchers disclosed their findings to the affected vendors in March. 

Samsung included a fix addressing this phishing flow in their Security Maintenance Release for May (SVE-2019-14073), LG released their fix in July (LVE-SMP-190006), and Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones.

Sony refused to acknowledge the vulnerability, stating that their devices follow the OMA CP specification.

Story image
14 Nov
Lack of PCI DSS compliance putting payment security at risk
Organisations across Asia Pacific are demonstrating stronger payments security compliance compared to other parts of the world, however global trends indicate that payments security compliance has dropped for the second year in a row.More
Story image
05 Nov
Adobe announcements bring a host of Creative Cloud capabilities to mobile devices
On the list are Photoshop on iPad, Fresco on Windows and Adobe Aero for immersive media, along with previews of Adobe Illustrator on iPad and Photoshop Camera.More
Story image
13 Nov
Microsoft showcases innovations in new Asia Pacific HQ
Almost 145,000 metres of cabling, 200 display screens, 179 Bluetooth beacons and 900 sensors make up Microsoft’s new Asia Pacific headquarters in Singapore, which is now home to the region’s first Microsoft Experience Centre.More
Story image
11 Nov
Inland Revenue cracks down on multinationals' tax obligations
“If they don’t play by the new rules, we will know who they are, and they should expect we’ll be in touch."More
Download image
Is an MSSP really a safe bet?
One of the largest inhibitors to cloud adoption is concern around the security of leveraging a service provider in a multi-cloud world. A lot is at stake and yes, you should be cautious.More
Story image
19 Nov
Q&A with Isentia: Knowing your customer base in an ever-changing media environment
How do you make enough noise to let people know who you are, but also build an authentic community and open lines of communication with your audience?More