Researchers at Check Point have discovered that certain Android-based phones, including models by Samsung, Huawei, LG and Sony, are susceptible to advanced phishing attacks.
This attack could see a bad actor tricking users into accepting new phone settings that could route all Internet traffic through a proxy controlled by them. This attack vector relies on a process called over-the-air (OTA) provisioning, which is normally used by cellular network operators to deploy network-specific settings to a new phone joining their network.
However, Check Point’s researchers demonstrated that anyone can send OTA provisioning messages.
The industry standard for OTA provisioning, Open Mobile Alliance Client Provisioning (OMA CP), employs limited authentication methods. For example, the recipient cannot verify if the suggested settings originate from his or her network operator, or from a third party.
Researchers discovered that phones manufactured by Samsung, Huawei, LG and Sony, which corresponds to more than 50% of all Android phones, according to market share data released last year, allow users to receive malicious settings via weakly-authenticated provisioning messages.
Samsung phones compound this by also enabling unauthenticated OMA CP messages, the researchers said.
Check Point disclosed its findings to the vendors in question in March this year. Samsung included a fix addressing this phishing flaw as part of its security maintenance release for May (SVE-2019-14073). LG released a fix in July (LVE-SMP-190006). Huawei says it’s planning to include UI fixes for OMA CP in the next generation of Mate or P series smartphones. Sony, however, refused to acknowledge the vulnerability, stating that their devices follow the OMA CP specification. OMA is tracking this issue as OPEN-7587.
How it works
To send OMA CP messages, an attacker needs a GSM modem that is used to send binary SMS messages, and a simple script or off-the-shelf software, to compose the OMA CP, the researchers explained.
The phishing CP messages can either be narrowly targeted, for example, preceded by a custom text message carefully crafted to fool a specific individual, or sent out in bulk, in the hope that at least a few of the recipients are gullible enough to accept it without questioning its legitimacy.
OMA CP allows changing several settings over-the-air, including MMS message server, proxy address, browser homepage and bookmarks, mail server, directory servers for synchronising contacts and calendar, among others.