It is estimated that the vulnerability exposes 2.5 billion monthly active users of Android phones worldwide, with devices from Sony, Samsung, Huawei and LG among those affected.
In these advanced phishing attacks, “a remote agent” can trick users into accepting new phone settings, such as routing all Internet traffic through a proxy that is controlled by the agent.
Check Point researchers Artyom Skrobov and Slava Makkaveev, explain that the attack occurs through a process called over-the-air (OTA) provisioning, whereby carriers deploy network-specific settings to new phones coming onto their network.
However, the researchers found that the industry standard for OTA provisioning, Open Mobile Alliance Client Provisioning (OMA CP), includes limited authentication methods, i.e. a user will not be able to verify whether the suggested systems come from an imposter or network operator.
“To send OMA CP messages, an attacker needs a GSM modem (either a $10 USB dongle, or a phone operating in modem mode), which is used to send binary SMS messages, and a simple script or off-the-shelf software, to compose the OMA CP.”
Phishing CP messages can be custom-engineered, and tailored to deceive a specific recipient, or sent out in bulk, assuming that some of the recipients are gullible and will accept a CP without questioning its authenticity.
For Samsung devices, there is no authenticity check for a threat actor to overcome. Whilst for Huawei, LG and Sony devices, the threat actor has to obtain the International Mobile Subscriber Identity (IMSI) for the target phone, a “64-bit identifier of each device on a mobile network”.
OMA CP allows the changing of the following settings; MMS message server, proxy address, browser homepage and bookmarks, mail server and directory servers, synchronizing contacts and calendar, and more.
The researchers also discovered that anyone connected to a cellular network could be targeted, and not just users connected to a Wi-Fi network.
“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” said Slava Makkaveev, security researcher at Check Point Software Technologies.
“Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning. When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone.”
The researchers disclosed their findings to the affected vendors in March, to which Samsung included a fix in its May Security Maintenance Release. LG released their fix in July. Huawei is planning to include fixes in the next generation of Mate series or P series smartphones, and Sony are refusing to acknowledge the vulnerability.
“People should be very suspicious any time they receive an unsolicited text message that is asking them to enter a PIN or any other authorization, even if it appears to come from the carrier. If they receive something like this, they should immediately contact the carrier through their customer service number and ask if this is legitimate,” said Erich Kron, security awareness advocate, KnowBe4.
Article originally published on PrivSec:Report
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
