Android phones vulnerable to advanced SMS phishing attacks

Researchers discover an attack vector that could once be only imagined in a "high-tech spy movie"

Android figurine

Researchers have found a fundamental security flaw in modern Android phones that facilitates advanced SMS phishing attacks.

Phones made by Huawei, LG, Samsung and Sony were all vulnerable to the attack, which involves an attacker tricking a user into accepting new phone settings that can reroute phone data back to the criminal.

Check Point researchers showed how attackers could leverage over-the-air provisioning (OTA) used by the affected phones

Check Point researchers also discovered that OTA, which is usually used by network operators to deploy network-specific settings to a new phone joining their network, can be hijacked using a $10 dongle.

The authentication methods used by OTA are limited, according to Check Point, and this limitation can be exploited to send messages which appear to be from the network operator to the user, but actually redirect internet traffic back to the attacker.

All affected phones allow weakly authenticated messages to reach the user, while Samsung additionally allows completely unauthenticated messages to reach its users.

Armed with a cheap dongle or a phone running in a modem mode, attackers can either send messages tailored for specific targets or sent out in bulk in a 'spray and pray' style of attack.

These specially crafted messages can change the MMS message server, proxy address, mail server, directory servers relating to contacts and calendars and browser homepage and bookmarks.

A message to a Samsung user will typically ask them if it can change the client provisioning settings. If a user accepts this after being taken through to the phone's settings without passing any authentication checks, then the malicious settings will be applied.

The attacker has a slightly tougher time with Huawei, LG and Sony phones. Of the two methods available, the first involves obtaining a victim's International Mobile Subscriber Identity (IMSI) number using a reverse IMSI lookup checker and once the IMSI has been acquired, a phishing attack can then be authenticated and deployed as easily as done on Samsung phones.

When an IMSI cannot be found, the attacker can instead send two messages, one which appears to be from the victim's network operator containing a PIN and the second malicious message, authenticated with the aforementioned PIN, asking to change the phone's settings. All a user would have to do is enter the PIN and the attack would be mounted.

"This is a demonstration of how sophisticated the bad guys are getting. Five years ago, this type of attack could have been included in the plot of some high-tech spy movie, but now it is being used by regular, run of the mill bad guys," said Erich Kron, security awareness advocate at KnowBe4.

"People should be very suspicious any time they receive an unsolicited text message that is asking them to enter a PIN or any other authorisation, even if it appears to come from the carrier.

"If they receive something like this, they should immediately contact the carrier through their customer service number and ask if this is legitimate," he added.

Since the researchers disclosed the vulnerabilities to the manufacturers in March 2019, Samsung and LG have both issued fixes.

Huawei said it's future Mate and P-series phones will be sold with UI fixes to address the issue while Sony refused to acknowledge the vulnerability report at all.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021