Android smartphones are vulnerable to SMS phishing attacks

• Attackers can send phishing OMA CP messages to trick users into accepting new malicious phone settings.
• Samsung phones allow users to receive unauthenticated OMA CP messages, without the need for obtaining IMSI numbers.

Researchers from Check Point have identified that Android smartphones including models by Samsung, Huawei, LG, and Sony are vulnerable to advanced phishing attacks.

What is the attack vector?

The attack vector is Open Mobile Alliance Client Provisioning (OMA CP) messages. Attackers can send phishing OMA CP messages to trick users into accepting new malicious phone settings that can route all their Internet traffic through a proxy controlled by the attackers.

What is OMA CP?

Open Mobile Alliance Client Provisioning (OMA CP) is the industry standard for over-the-air (OTA) provisioning. OTA provisioning is normally used by mobile network operators to deploy network-specific settings to a new device joining their network.

However, OMA CP includes limited authentication methods and anyone can send provisioning messages. Additionally, recipients cannot verify whether the messages are sent from the network operator or from a threat actor.

How does the attack work?

• An attacker needs a GSM modem to compose and send OMA CP messages.
• GSM modem is used to send binary SMS messages and a simple script.
• Attackers send phishing CP messages with a custom text message tailored to deceive a particular group of targets.
• Once recipients accept the CP messages, the new device settings such as MMS message server setting, mail server setting, proxy address, browser homepage, and bookmarks are modified among others.

Key Findings

• An attacker requires IMSI numbers of mobile devices such as Huawei, LG or Sony phones in order to carry out the attack.
• Once a CP is authenticated with the recipient’s IMSI number, Huawei, LG and Sony phones allow installation of malicious settings.
• However, attackers can send unauthenticated OMA CP messages to Samsung phones without the need for obtaining IMSI numbers.
• IMSI numbers can be obtained via an Android application having READ_PHONE_STATE permission.
• Incase the IMSI number could not be obtained, the attacker can send two messages to victims purporting to be from the victims’ network operator, asking them to accept a PIN-protected OMA CP.
• After this, the attacker can send OMA CP messages which are authenticated with the same PIN.

“ We found that phones manufactured by Samsung, Huawei, LG and Sony (corresponding to over 50% of all Android phones, according to market share data from 2018: http://gs.statcounter.com/vendor-market-share/mobile/worldwide/) allow users to receive malicious settings via such weakly-authenticated provisioning messages. Samsung phones compound this by allowing unauthenticated OMA CP messages as well,” researchers said.

How did the vendors respond?

Check Point researchers disclosed their findings to Huawei, Sony, LG, and Samsung.

• Huawei acknowledged the flaw and promised to release UL fixes for OMA CP in the next generation of Mate series or P series smartphones.
• Samsung addressed the issue in its Security Maintenance Release for May (SVE-2019-14073).
• LG released its fix in July (LVE-SMP-190006).
• Sony refused to acknowledge the flaw, stating that their devices follow the OMA CP specification.