Android phones vulnerable to advanced SMS phishing attacks

Researchers discover an attack vector that could once be only imagined in a "high-tech spy movie"

Android

Researchers have found a fundamental security flaw in modern Android phones that facilitates advanced SMS phishing attacks.

Phones made by Huawei, LG, Samsung and Sony were all vulnerable to the attack, which involves an attacker tricking a user into accepting new phone settings that can reroute phone data back to the criminal.

Check Point researchers showed how attackers could leverage over-the-air provisioning (OTA) used by the affected phones

Check Point researchers also discovered that OTA, which is usually used by network operators to deploy network-specific settings to a new phone joining their network, can be hijacked using a $10 dongle.

The authentication methods used by OTA are limited, according to Check Point, and this limitation can be exploited to send messages which appear to be from the network operator to the user, but actually redirect internet traffic back to the attacker.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

All affected phones allow weakly authenticated messages to reach the user, while Samsung additionally allows completely unauthenticated messages to reach its users.

Armed with a cheap dongle or a phone running in a modem mode, attackers can either send messages tailored for specific targets or sent out in bulk in a 'spray and pray' style of attack.

These specially crafted messages can change the MMS message server, proxy address, mail server, directory servers relating to contacts and calendars and browser homepage and bookmarks.

A message to a Samsung user will typically ask them if it can change the client provisioning settings. If a user accepts this after being taken through to the phone's settings without passing any authentication checks, then the malicious settings will be applied.

The attacker has a slightly tougher time with Huawei, LG and Sony phones. Of the two methods available, the first involves obtaining a victim's International Mobile Subscriber Identity (IMSI) number using a reverse IMSI lookup checker and once the IMSI has been acquired, a phishing attack can then be authenticated and deployed as easily as done on Samsung phones.

Advertisement - Article continues below

When an IMSI cannot be found, the attacker can instead send two messages, one which appears to be from the victim's network operator containing a PIN and the second malicious message, authenticated with the aforementioned PIN, asking to change the phone's settings. All a user would have to do is enter the PIN and the attack would be mounted.

"This is a demonstration of how sophisticated the bad guys are getting. Five years ago, this type of attack could have been included in the plot of some high-tech spy movie, but now it is being used by regular, run of the mill bad guys," said Erich Kron, security awareness advocate at KnowBe4.

"People should be very suspicious any time they receive an unsolicited text message that is asking them to enter a PIN or any other authorisation, even if it appears to come from the carrier.

"If they receive something like this, they should immediately contact the carrier through their customer service number and ask if this is legitimate," he added.

Since the researchers disclosed the vulnerabilities to the manufacturers in March 2019, Samsung and LG have both issued fixes.

Huawei said it's future Mate and P-series phones will be sold with UI fixes to address the issue while Sony refused to acknowledge the vulnerability report at all.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020