Experts warn of “advanced” security threat for Android users
Phone models by Samsung, Huawei, LG and Sony could be susceptible to a phishing attack that tricks users into accepting malicious phone settings, routing all their internet traffic towards hackers.
The vulnerability, disclosed by security firm Check Point, makes use of SMS messages and has been verified as affecting a range of Android handsets, including the Huawei P10, LG G6, Sony Xperia XZ Premium, and Samsung Galaxy S9.
According to Check Point’s researchers, the attack hinges on over-the-air (OTA) provisioning, which in normal circumstances is used by providers to deploy carrier-specific settings to phones joining their network.
By sending out their own OTA provisioning instructions, masked using a duplicitous SMS message, the hackers can route a victim’s email and internet traffic to their own proxy server.
“The phishing […] messages can either be narrowly targeted, e.g. preceded with a custom text message tailored to deceive a particular recipient, or sent out in bulk, assuming that at least some of the recipients are gullible enough to accept a [provisioning message] without challenging its authenticity,” wrote Check Point’s researchers Artyom Skrobov and Slava Makkaveev.
All an attacker would need to leverage this system is a cheap USB dongle to work as GSM modem, the researchers warm, alongside the off-the-shelf software needed to compose a malicious Open Mobile Alliance Client Provisioning (OMA CP) message – the industry standard for OTA provisioning.
Samsung phones proved to be the easiest to hack, as there was no authentication needed for the attacker to send an OMA CP message. As long as the user accepted the message instruction, the attacker could gain access to internet traffic, contacts, calendar and email messages.
Huawei, Sony and LG phones were harder to route, as these systems needed the attacker to have the International Mobile Subscriber Identity (IMSI) – a bit like an IP address – of the targeted phone. Check Point notes that this is not that hard to come by, however.
Check Point privately disclosed its findings to the various phone manufacturers in March. Samsung and LG have since issued fixes to the issue, while Huawei told Check Point it is planning fixes for the company’s next generation of Mate or P series smartphones. Sony refused to acknowledge the vulnerability, and is sticking to the current OMA CP specifications.
For worried users, the best course of action would be to ensure the latest security updates are in place, and be wary of any text messages that include links to install updates.