Researchers have discovered a new type of “advanced” phishing attack targeting Android phones that can trick users into installing malicious settings on their devices that disguise themselves as innocuous network configuration updates.
The attack, released today by cybersecurity firm Check Point Research, has been successful on most modern Android phones, including Huawei P10, LG G6, Sony Xperia XZ Premium and Samsung Galaxy S9. But any Android phone can be directed this way.
Since Samsung, Huawei, LG and Sony account for more than 50 percent of all Android phones, the scope of the attack is understandably much wider.
According to the report, threat actors take advantage of over-the-air provisioning (OTA), a technique often used by telecom operators to implement operator-specific configurations on new devices, to intercept all email traffic to and from Android phones. using fake SMS messages.
“A remote agent can trick users into accepting new phone settings that, for example, route all their Internet traffic to steal emails through a proxy controlled by the attacker,” wrote researchers Artyom Skrobov and Slava Makkaveev .
The vulnerability can be exploited at all times during the day, provided the phones are connected to their operator networks. However, Wi-Fi access points are not affected.
Worryingly, all a cybercriminal needs is a GSM modem, which can then be used to send a provisioning message to the intended victims when obtaining their international mobile subscriber identity numbers (IMSI), a number that identifies so unique to each user of a cellular network.
The provisioning message follows a format: Open Mobile Alliance (OMA CP) client provisioning, specified by the Open Mobile Alliance, but is also weakly authenticated, which means that a recipient cannot verify whether the suggested configuration originated from their provider or in a scammer trying to execute a man attack in the middle.
After Check Point privately revealed its findings in March, all companies, with the exception of Sony, have issued patches or plan to correct the vulnerability in the next releases. Samsung addressed the flaw in its May security update (SVE-2019-14073), while LG fixed it in July (LVE-SMP-190006).
Huawei intends to connect the exploit to its next smartphones, according to Check Point, but it is not completely clear whether the US-China trade war will cause additional complications. Sony, meanwhile, is currently adhering to the current OMA CP specification, with OMA tracking this issue separately.
The threat actors have long pursued several methods to organize all kinds of phishing attacks. But the idea that an attacker can send personalized SMS messages to change the network and Internet settings on the device through smart social engineering campaigns is very worrying.
The bottom line, ultimately, is that you should be aware of the installation of anything that is not trusted by your device, especially those that are delivered through text messages or linked in texts.
“Threat actors are improving in extracting information outside Wi-Fi hotspots every day,” the researchers said. “We should all be on extra alert, especially when we are not connected to Wi-Fi public access points.”