More than half of the Android mobile phones in use are susceptible to an advanced text-based phishing attack that only requires a cybercriminal make a $10 investment.
Check Point researchers found malicious actors using a remote agent to trick phone owners into accepting new phone settings that hand over various levels of control to the attacker. The attack vector is through a process called over-the-air (OTA) provisioning which is used by carriers to deploy network-specific settings to new phones coming onto their network.
One issue is anyone can send such an OTA provisioning message using the industry standard Open Mobile Alliance Client Provisioning (OMA CP) protocol. The second is phones from top vendors, Samsung, LG, Huawei and Sony are equipped with limited authentication methods making it impossible for a recipient of a phishing message to authenticate the sender.
Equipping yourself to send an OMA CP message requires a $10 USB dongle or a phone operating in modem mode. This is used to send a binary SMS message containing a homegrown or even off the shelf software. Samsung phones are particularly defenseless against this attack by allowing unauthenticated OMA CP messages.
For LG, Huawei and Sony that attacker has to obtain the International Mobile Subscriber Identity (IMSI) for the target phone, a 64-digit identifier used for routing. This task that is relatively simple as forward and reverse IMSI lookups (mobile number to IMSI and vice versa) are widely available from commercial sources, Check Point said.
Once this information is gathered the attacker sends a text to a phone asking the owner to accept changes to the phone. Changes that can alter the following settings:
- MMS message server
- Proxy address
- Browser homepage and bookmarks
- Mail server
- Directory servers for synchronizing contacts and calendar
“People should be very suspicious any time they receive an unsolicited text message that is asking them to enter a PIN or any other authorization, even if it appears to come from the carrier. If they receive something like this, they should immediately contact the carrier through their customer service number and ask if this is legitimate,” said Erich Kron, security awareness advocate, KnowBe4.
Except for Sony the other vendors have either applied or intend to apply fixes to this problem.
“Samsung included a fix addressing this phishing flow in their Security Maintenance Release for May (SVE-2019-14073). LG released their fix in July (LVE-SMP-190006). Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones. Sony refused to acknowledge the vulnerability, stating that their devices follow the OMA CP specification,” the report said.