Researchers discovered an advanced SMS phishing attack on some of the targeted Android phone’s that allows a remote attacker to trick victims in accepting the new settings and control the browser home page, Email server over the air.
There are certain Android smartphone model vulnerable for this SMS phishing attack that including Samsung, Huawei, LG, and Sony.
Basically, the network operators using a process called “over-the-air (OTA) provisioning” also called as ” Open Mobile Alliance Client Provisioning (OMA CP) ” to deploy the network-specific settings when new phone joining their network.
There are several smartphones manufactured by Samsung, Huawei, LG and Sony which is nearly 50 % of Android phones around the world let attackers change the malicious setting to spy the communication remotely.
Unfortunately, the recipient cannot verify whether the newly suggested settings comes from the original network operator or attacker due to the limited authentication.
Attack Flow over the Air
Attack needs to have $10 worth USB dongle which can be used to send binary SMS messages along with a simple script to compose and send the OMA CP message to the victim mobile.
This process can be performed by anyone who has has a cheap USB modem to trick the victims and install malicious settings and redirect all their traffic through the attacker-controlled proxy.
According to the checkpoint report, OMA CP allows changing the following settings over-the-air:
- MMS message server
- Proxy address
- Browser homepage and bookmarks
- Mail server
- Directory servers for synchronizing contacts and calendar
This, in turn, could allow attackers to easily intercept some network connections a targeted device makes through its data carrier service, including web browsers and built-in email clients.
“It takes only a single SMS message to gain full access to your emails,” the researchers say.
“In these attacks, a remote agent can trick users into accepting new phone settings that, for example, route all their Internet traffic to steal emails through a proxy controlled by the attacker.”
“Furthermore, anyone connected to a cellular network may be the target of this class of phishing attacks, meaning you don’t have to be connected to a Wi-Fi network to get your private email data maliciously extracted by cyber attackers.”
However, just like in case of setting up a proxy for a Wi-Fi connection, proxy settings for mobile data network are not used by every app installed a targeted device. Instead, it depends upon which app has been designed to accept the user-configured proxy.
Moreover, the proxy server would not be able to decrypt HTTPS connections; thus, this technique is suitable only for intercepting insecure connections.
“This is an entirely new classification of phishing attacks on our emails,” said Slava Makkaveev, a security researcher at Check Point told The Hacker News.
“It was difficult to classify the vulnerability at first because it’s a deep specificity problem. It’s probably the most advanced phishing attack on our emails I’ve seen to date.”
Coming back to the weaknesses Check Point researchers identified in the authentication of provisioning messages, specifications the industry-standard recommends to make OTA provisioning secure doesn’t mandate carriers to properly authenticate CP messages using USERPIN, NETWPIN, or other methods.
As a result, a message recipient (targeted user) cannot verify whether the OMA CP message with new settings has been originated from his network operator or an imposter, leaving an opportunity for attackers to exploit this weakness.
Researchers test the attack using Samsung smartphone by sending an unauthenticated OMA CP message. meanwhile, they noticed that there is authenticity check when victims receive the CP messages and just accept the CP message is enough to install the malicious settings.
Also if the attacker wants to perform this attack on Huawei, LG or Sony phones, it requires to obtain the International Mobile Subscriber Identity (IMSI) numbers and it can be obtained via an Android application having READ_PHONE_STATE permission.
“For those potential victims whose IMSI could not be obtained, the attacker can send each victim two messages. The first is a text message that purports to be from the victim’s network operator, asking him to accept a PIN-protected OMA CP, and specifying the PIN as an arbitrary four-digit number Checkpoint researchers said.
Once it’s done, the attacker sends him an OMA CP message authenticated with the same PIN. Such CP can be installed regardless of the IMSI, provided that the victim accepts the CP and enters the correct PIN.
By successfully install the malicious settings through a single SMS phishing attack, attackers gain full access to the emails from built-in email client in Android phones and web browsers home page.
Researcher successfully testing this attack with Huawei P10, LG G6, Sony Xperia XZ Premium, and a range of Samsung Galaxy phones, including S9.
Checkpoint found this flaw in March and reported to the specific vendors to apply the fixed to prevent the users from this advanced phishing attack.
Samsung phones are the most vulnerable
Researchers found that certain Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of OMA CP messages.
The user only needs to accept the CP and the malicious software will be installed without the sender needing to prove their identity.
“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” said Slava Makkaveev, Security Researcher at Check Point Software Technologies.
“Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning.
When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone.”
Huawei, LG, and Sony phones do have a form of authentication checking, but hackers only need the International Mobile Subscriber Identity (IMSI) of the recipient to ‘confirm’ their identity.
Attackers can obtain a victim’s IMSI in a variety of ways, including creating a rogue Android app that reads a phone’s IMSI once it is installed.
The attacker can also bypass the need for an IMSI by sending the user a text message posing as the network operator and asking them to accept a pin-protected OMA CP message. If the user enters the PIN number and accepts the OMA CP message, the CP can be installed without an IMSI.
A USERPIN-authenticated CP message as it appears to a Huawei user
Some fixes are available
The researchers disclosed their findings to the affected vendors in March 2019:
- Samsung included a fix addressing this in their Security Maintenance Release for May (SVE-2019-14073)
- LG released their fix in July (LVE-SMP-190006)
- Huawei is planning to include UI fixes for OMA CP in the next generation of Mate-series or P-series smartphones
- Sony stated that its devices follow the OMA CP specification.