Over a billion Android smartphone users have been found to be vulnerable to advanced SMS phishing attacks, according to Check Point Research.
Brands such as Samsung, Huawei, LG and Sony have been identified to be under threat.
Check Point Research said that the affected Android phones use over-the-air (OTA) provisioning, which allows mobile network operators to deploy network-specific settings to a new phone joining their network.
The Researchers found that the industry standard for OTA provisioning, the Open Mobile Alliance Client Provisioning (OMA CP), includes limited authentication methods. This can allow hackers to pose as network operators and send false OMA CP messages, such as an ‘update network settings’ text to users to access emails.
These messages can deceive users into accepting malicious settings that can route all internet traffic through the hacker’s proxy server, enabling the hacker to access emails.
Any Android smartphone user connected to a cellular network is vulnerable to these phishing attacks, whether using Wi-Fi or not.
“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” said Slava Makkaveev, security researcher for Check Point Software Technologies.
“Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning.
“When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept,’ they could very well be letting an attacker into their phone.”
SMS phishing attacks: Leading Android brands must improve sender authentication checks
Samsung, Huawei, LG and Sony are the most dominant brands within the Android smartphone arena. They represent over 50% of all Android phones globally and have a worldwide mobile operating market share of 76.08%, according to StatCounter GlobalStat.
There are 2.5 billion monthly active users of Android worldwide, according to statistic website DMR.
Check Point also found that some Samsung phones are more vulnerable to this method of phishing because the brand doesn’t have an authenticity check for senders of OMA CP messages. For hackers to be successful, a user only needs to accept the CP and the malicious software will be installed without any proof of identity.
However, it was found that Huawei, LG, and Sony phones do have a form of authentication checking. But this too is not enough to take secure user’s phones.
Hackers only need the International Mobile Subscriber Identity (IMSI) of the recipient to authorise identity. Hackers can get a user’s IMSI by creating a fraudulent Android app that can read a phone’s IMSI when installed. The hacker can also avoid using an IMSI by sending the user a text message posing as the network operator and asking them to accept a pin-protected OMA CP message.
Check Point Research said it had shared the findings to the affected companies in March this year. This resulted in Samsung and LG adding a solution to their Security Maintenance Release for May (SVE-2019-14073) July (LVE-SMP-190006), respectively.
Huawei plans to add UI fixes for OMA CP in the next generation of its Mate-series or P-series smartphones. However, Sony said its devices follow the OMA CP specification.