A security issue in Android smartphones viz Samsung, LG, Huawei, and Sony has now been identified. This concerns possibilities for remote agents to launch exploits to send malicious text messages to users. Scientists have also found out that specific Samsung smartphones are potentially hugely vulnerable to these phishing attacks. These attacks reportedly employ devious methods to trick users into downloading the malicious files that are transmitted with these messages.  

The research

This research, by Check Point Software Technologies, has found that the over-the-air (OTA) provisioning, through which cellular network operators can deploy network-specific settings to a new phone joining their network, and its underlying Open Mobile Alliance Client Provisioning (OMA CP), includes limited authentication methods. Researchers say that this could be exploited. The malicious message transmitted, in turn, routes victims’ (users’) internet traffic through a compromised proxy server to reach cyber-criminals.  

As far as the vulnerable Samsung smartphones (identified by researchers to be hugely vulnerable) are concerned, these do not have an authenticity check for senders of OMA CP messages. Once the user accepts the CP, then the non-genuine software would get installed without the sender needing to prove their identity. Researchers also determined that certain Samsung phones are the most vulnerable to this form of phishing attack because they Huawei, LG, and Sony phones do have a form of authentication, but hackers only need the International Mobile Subscriber Identity (IMSI) of the recipient to ‘confirm’ their identity. The cyber-criminals can then in turn gain access to the compromised users’  IMSI even by developing stray Android application (app) to access a phone’s IMSI once it is installed. The attackers can then resort to bypassing the IMSI, by disguising as the network operator and coaxing them to pay heed to an OMCA CP message that is pin-secured. If the user then enters the provided PIN number and accepts the OMA CP message, the CP can be installed without an IMSI. 

Do the brands acknowledge the issue?

The smartphone vendors, identified as vulnerable by the Check Point researchers, even reportedly took notice of the issue. Samsung even sent out a Security Maintenance Release for May (SVE-2019-14073), with LG following suit in July (LVE-SMP-190006 – fix ), and Huawei is said to be contemplating seeding fixes for OMA CP in the next generation of Mate series or P series smartphones. However, Sony is said to have not acknowledged the issue by stating that their smartphones adhered to OMCA CP standards. “Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning. When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone,” stated Slava Makkaveev who is a Security Researcher at Check Point Software.