Check Point Research says the Open Mobile Alliance Client Provisioning (OMA CP) standard adopted by Android smartphone makers and used by cellular network operators to deploy network-specific settings to a new phone joining their network leaves users vulnerable to advanced SMS phishing attacks.
The Research arm of Check Point Software Technologies says the OMA CP includes limited authentication methods. Remote agents can exploit this to pose as network operators and send deceptive OMA CP messages to users. The message tricks users into accepting malicious settings that, for example, route their Internet traffic through a proxy server owned by the hacker.
What is the motive by Check Point Research for specifically naming Samsung, Huawei, LG, and Sony culprits when the vulnerability may actuality exist for all Android smartphones? Brands like Vivo, OPPO and Xiaomi are noticeably missing in the press release. If you consider that the smaller the smartphone maker, the more likely they will have fewer resources to allocate on things like security.
How it works
Check Point Researchers, Artyom Skrobov, and Slava Makkaveev, noted that certain Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of OMA CP messages. The user only needs to accept the CP and the malicious software will be installed without the sender needing to prove their identity.
Huawei, LG, and Sony phones do have a form of authentication, but hackers only need the International Mobile Subscriber Identity (IMSI) of the recipient to ‘confirm’ their identity. Attackers can obtain a victim’s IMSI in a variety of ways, including creating a rogue Android app that reads a phone’s IMSI once it is installed.
The attacker can also bypass the need for an IMSI by sending the user a text message posing as the network operator and asking them to accept a pin-protected OMA CP message. If the user then enters the provided PIN number and accepts the OMA CP message, the CP can be installed without an IMSI.
“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” said Slava Makkaveev, security researcher at Check Point Software Technologies. “Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning. When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone.”