Olivier Le Moal - stock.adobe.co
The flaw potentially exposes an estimated 2.5 billion monthly active users of Android phones to phishing attacks, and although some top suppliers have recently issued fixes, not all Android users are covered so many could still be at risk.
The affected Android phones use over-the-air (OTA) provisioning, which allows mobile network operators to deploy network-specific settings to a new phone joining their network. However, Check Point researchers found that the industry standard for OTA provisioning, the Open Mobile Alliance Client Provisioning (OMA CP), includes limited authentication methods.
This can be exploited to custom-engineer SMS text messages, enabling attackers to pose as network operators and send deceptive OMA CP messages to users.
The message appears like an update and is designed to trick users into accepting malicious settings that can, for example, route all their internet traffic through a proxy server owned by the hacker.
It takes only a single SMS message to gain full access to a device’s emails, and users cannot verify whether the rogue SMS and suggested updates originate from their network carrier or from an attacker.
The researchers also found that anyone connected to a cellular network can be targeted by these attacks, not only users connected to a Wi-Fi network.
They found that certain Samsung phones were the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of OMA CP messages. The user only needs to accept the CP request for the malware to be installed without the sender needing to prove their identity.
“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” said Slava Makkaveev, security researcher at Check Point Software Technologies.
“Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning. When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone,” he said.
Huawei, LG and Sony phones do have a form of authentication checking, but attackers only need the international mobile subscriber identity (IMSI) of the recipient to “confirm” their identity.
Attackers can obtain a victim’s IMSI in a variety of ways, the researchers said, including creating a rogue Android app that reads a phone’s IMSI once it is installed. Attackers can also bypass the need for an IMSI by sending the user a text message posing as the network operator and asking them to accept a PIN-protected OMA CP message. If the user enters their PIN (personal identification number) and accepts the OMA CP message, the CP can be installed without an IMSI.
However, the researchers disclosed their findings to the affected Android phone suppliers in March 2019 and several Android phone suppliers have since responded.
Samsung included a fix in its May Security Maintenance Release (SVE-2019-14073), LG released a fix in July (LVE-SMP-190006) and Huawei is planning to include fixes for OMA CP in the next generation of Mate-series or P-series smartphones. Sony stated that its devices follow the OMA CP specification.
Read more about mobile malware
- Mobile banking malware surged in the first half of the year, report reveals.
- New Agent Smith mobile malware that exploits Android vulnerabilities has infected millions of devices, say security researchers.
- Android and iOS apps equally vulnerable to being exploited remotely by malware, report reveals.
- Computing professionals must embrace modern Windows and mobile malware protection technologies to defend against ransomware and other attacks.