Recently, security researchers revealed that Android based smartphones are vulnerable to SMS phishing attacks. Read on to know more…
Recently, security researchers revealed that Android based smartphones are vulnerable to SMS phishing attacks. Researchers from the threat intelligence arm of Check Point identified that Android based smartphones including models by Samsung, Huawei, LG, and Sony are vulnerable to advanced phishing attacks. Hackers can send phishing OMA CP messages to trick users into accepting new malicious phone settings. Researchers from Check Point said certain Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of Open Mobile Alliance Client Provisioning (OMA CP) messages.
“Given the popularity of Android devices, this is a critical vulnerability that must be addressed. Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air (OTA) provisioning.
The attack vector is Open Mobile Alliance Client Provisioning (OMA CP) messages. Attackers can send phishing OMA CP messages to trick users into accepting new malicious phone settings that can route all their Internet traffic through a proxy controlled by the attackers. Open Mobile Alliance Client Provisioning (OMA CP) is the industry standard for over-the-air (OTA) provisioning. OTA provisioning is normally used by mobile network operators to deploy network-specific settings to a new device joining their network.
However, OMA CP includes limited authentication methods and anyone can send provisioning messages. Additionally, recipients cannot verify whether the messages are sent from the network operator or from a threat actor.
An attacker needs a GSM modem to compose and send OMA CP messages. The GSM modem is used to send binary SMS messages and a simple script. Attackers send phishing CP messages with a custom text message tailored to deceive a particular group of targets. Once recipients accept the CP messages, the new device settings such as MMS message server setting, mail server setting, proxy address, browser homepage, and bookmarks are modified among others.
“When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone,” Slava Makkaveev, Security Researcher, Check Point Software Technologies, said in a statement.
An attacker requires IMSI numbers of mobile devices such as Huawei, LG or Sony phones in order to carry out the attack. Once a CP is authenticated with the recipient’s IMSI number, Huawei, LG and Sony phones allow installation of malicious settings. However, attackers can send unauthenticated OMA CP messages to Samsung phones without the need for obtaining IMSI numbers. IMSI numbers can be obtained via an Android application having READ_PHONE_STATE permission.
In case the IMSI number could not be obtained, the attacker can send two messages to victims purporting to be from the victims’ network operator, asking them to accept a PIN-protected OMA CP. After this, the attacker can send OMA CP messages which are authenticated with the same PIN.