Android phones vulnerable to advanced SMS phishing attacks

Researchers discover an attack vector that could once be only imagined in a "high-tech spy movie"


Researchers have found a fundamental security flaw in modern Android phones that facilitates advanced SMS phishing attacks.

Phones made by Huawei, LG, Samsung and Sony were all vulnerable to the attack, which involves an attacker tricking a user into accepting new phone settings that can reroute phone data back to the criminal.

Check Point researchers showed how attackers could leverage over-the-air provisioning (OTA) used by the affected phones

Check Point researchers also discovered that OTA, which is usually used by network operators to deploy network-specific settings to a new phone joining their network, can be hijacked using a $10 dongle.

The authentication methods used by OTA are limited, according to Check Point, and this limitation can be exploited to send messages which appear to be from the network operator to the user, but actually redirect internet traffic back to the attacker.

Advertisement - Article continues below
Advertisement - Article continues below

All affected phones allow weakly authenticated messages to reach the user, while Samsung additionally allows completely unauthenticated messages to reach its users.

Armed with a cheap dongle or a phone running in a modem mode, attackers can either send messages tailored for specific targets or sent out in bulk in a 'spray and pray' style of attack.

These specially crafted messages can change the MMS message server, proxy address, mail server, directory servers relating to contacts and calendars and browser homepage and bookmarks.

A message to a Samsung user will typically ask them if it can change the client provisioning settings. If a user accepts this after being taken through to the phone's settings without passing any authentication checks, then the malicious settings will be applied.

The attacker has a slightly tougher time with Huawei, LG and Sony phones. Of the two methods available, the first involves obtaining a victim's International Mobile Subscriber Identity (IMSI) number using a reverse IMSI lookup checker and once the IMSI has been acquired, a phishing attack can then be authenticated and deployed as easily as done on Samsung phones.

Advertisement - Article continues below

When an IMSI cannot be found, the attacker can instead send two messages, one which appears to be from the victim's network operator containing a PIN and the second malicious message, authenticated with the aforementioned PIN, asking to change the phone's settings. All a user would have to do is enter the PIN and the attack would be mounted.

"This is a demonstration of how sophisticated the bad guys are getting. Five years ago, this type of attack could have been included in the plot of some high-tech spy movie, but now it is being used by regular, run of the mill bad guys," said Erich Kron, security awareness advocate at KnowBe4.

"People should be very suspicious any time they receive an unsolicited text message that is asking them to enter a PIN or any other authorisation, even if it appears to come from the carrier.

"If they receive something like this, they should immediately contact the carrier through their customer service number and ask if this is legitimate," he added.

Since the researchers disclosed the vulnerabilities to the manufacturers in March 2019, Samsung and LG have both issued fixes.

Huawei said it's future Mate and P-series phones will be sold with UI fixes to address the issue while Sony refused to acknowledge the vulnerability report at all.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Microsoft Windows

Microsoft pulls disastrous Windows 10 security update

17 Feb 2020

How to use Chromecast without Wi-Fi

5 Feb 2020
Business operations

HP shareholders invited to come dine with Xerox

17 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020