Android phones vulnerable to advanced SMS phishing attacks

Researchers discover an attack vector that could once be only imagined in a "high-tech spy movie"

Android

Researchers have found a fundamental security flaw in modern Android phones that facilitates advanced SMS phishing attacks.

Phones made by Huawei, LG, Samsung and Sony were all vulnerable to the attack, which involves an attacker tricking a user into accepting new phone settings that can reroute phone data back to the criminal.

Advertisement - Article continues below

Check Point researchers showed how attackers could leverage over-the-air provisioning (OTA) used by the affected phones

Check Point researchers also discovered that OTA, which is usually used by network operators to deploy network-specific settings to a new phone joining their network, can be hijacked using a $10 dongle.

The authentication methods used by OTA are limited, according to Check Point, and this limitation can be exploited to send messages which appear to be from the network operator to the user, but actually redirect internet traffic back to the attacker.

All affected phones allow weakly authenticated messages to reach the user, while Samsung additionally allows completely unauthenticated messages to reach its users.

Armed with a cheap dongle or a phone running in a modem mode, attackers can either send messages tailored for specific targets or sent out in bulk in a 'spray and pray' style of attack.

These specially crafted messages can change the MMS message server, proxy address, mail server, directory servers relating to contacts and calendars and browser homepage and bookmarks.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

A message to a Samsung user will typically ask them if it can change the client provisioning settings. If a user accepts this after being taken through to the phone's settings without passing any authentication checks, then the malicious settings will be applied.

The attacker has a slightly tougher time with Huawei, LG and Sony phones. Of the two methods available, the first involves obtaining a victim's International Mobile Subscriber Identity (IMSI) number using a reverse IMSI lookup checker and once the IMSI has been acquired, a phishing attack can then be authenticated and deployed as easily as done on Samsung phones.

When an IMSI cannot be found, the attacker can instead send two messages, one which appears to be from the victim's network operator containing a PIN and the second malicious message, authenticated with the aforementioned PIN, asking to change the phone's settings. All a user would have to do is enter the PIN and the attack would be mounted.

Advertisement - Article continues below

"This is a demonstration of how sophisticated the bad guys are getting. Five years ago, this type of attack could have been included in the plot of some high-tech spy movie, but now it is being used by regular, run of the mill bad guys," said Erich Kron, security awareness advocate at KnowBe4.

"People should be very suspicious any time they receive an unsolicited text message that is asking them to enter a PIN or any other authorisation, even if it appears to come from the carrier.

"If they receive something like this, they should immediately contact the carrier through their customer service number and ask if this is legitimate," he added.

Since the researchers disclosed the vulnerabilities to the manufacturers in March 2019, Samsung and LG have both issued fixes.

Huawei said it's future Mate and P-series phones will be sold with UI fixes to address the issue while Sony refused to acknowledge the vulnerability report at all.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
Police use of facial recognition ruled unlawful in the UK
privacy

Police use of facial recognition ruled unlawful in the UK

11 Aug 2020