Android phones vulnerable to advanced SMS phishing attacks

Researchers discover an attack vector that could once be only imagined in a "high-tech spy movie"

Android

Researchers have found a fundamental security flaw in modern Android phones that facilitates advanced SMS phishing attacks.

Phones made by Huawei, LG, Samsung and Sony were all vulnerable to the attack, which involves an attacker tricking a user into accepting new phone settings that can reroute phone data back to the criminal.

Check Point researchers showed how attackers could leverage over-the-air provisioning (OTA) used by the affected phones

Check Point researchers also discovered that OTA, which is usually used by network operators to deploy network-specific settings to a new phone joining their network, can be hijacked using a $10 dongle.

The authentication methods used by OTA are limited, according to Check Point, and this limitation can be exploited to send messages which appear to be from the network operator to the user, but actually redirect internet traffic back to the attacker.

All affected phones allow weakly authenticated messages to reach the user, while Samsung additionally allows completely unauthenticated messages to reach its users.

Armed with a cheap dongle or a phone running in a modem mode, attackers can either send messages tailored for specific targets or sent out in bulk in a 'spray and pray' style of attack.

These specially crafted messages can change the MMS message server, proxy address, mail server, directory servers relating to contacts and calendars and browser homepage and bookmarks.

A message to a Samsung user will typically ask them if it can change the client provisioning settings. If a user accepts this after being taken through to the phone's settings without passing any authentication checks, then the malicious settings will be applied.

The attacker has a slightly tougher time with Huawei, LG and Sony phones. Of the two methods available, the first involves obtaining a victim's International Mobile Subscriber Identity (IMSI) number using a reverse IMSI lookup checker and once the IMSI has been acquired, a phishing attack can then be authenticated and deployed as easily as done on Samsung phones.

When an IMSI cannot be found, the attacker can instead send two messages, one which appears to be from the victim's network operator containing a PIN and the second malicious message, authenticated with the aforementioned PIN, asking to change the phone's settings. All a user would have to do is enter the PIN and the attack would be mounted.

"This is a demonstration of how sophisticated the bad guys are getting. Five years ago, this type of attack could have been included in the plot of some high-tech spy movie, but now it is being used by regular, run of the mill bad guys," said Erich Kron, security awareness advocate at KnowBe4.

"People should be very suspicious any time they receive an unsolicited text message that is asking them to enter a PIN or any other authorisation, even if it appears to come from the carrier.

"If they receive something like this, they should immediately contact the carrier through their customer service number and ask if this is legitimate," he added.

Since the researchers disclosed the vulnerabilities to the manufacturers in March 2019, Samsung and LG have both issued fixes.

Huawei said it's future Mate and P-series phones will be sold with UI fixes to address the issue while Sony refused to acknowledge the vulnerability report at all.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

What is shoulder surfing?
Security

What is shoulder surfing?

19 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020
Microsoft releases two emergency Windows patches
Security

Microsoft releases two emergency Windows patches

19 Oct 2020
Weekly threat roundup: Windows 10, Adobe, and SonicWall VPNs
Security

Weekly threat roundup: Windows 10, Adobe, and SonicWall VPNs

16 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
How to wipe a laptop easily and securely
Security

How to wipe a laptop easily and securely

5 Oct 2020
iPhone 12 lineup official with A14 Bionic chip and 5G support
Mobile Phones

iPhone 12 lineup official with A14 Bionic chip and 5G support

13 Oct 2020