Security researchers are warning of a new Android vulnerability in the way certain handsets receive over-the-air (OTA) updates, allowing hackers to potentially craft convincing SMS phishing attacks.
Check Point revealed the flaw, which has now been patched by some handset manufacturers, earlier this week.
It claimed that the industry standard for OTA provisioning, the Open Mobile Alliance Client Provisioning (OMA CP), only features limited authentication. As a result, remote agents could exploit this to impersonate network operators in spoof OMA CP messages to users, it claimed.
If a user is deceived, they will accept malicious settings which could lead to them being routed to a proxy server under the control of the attackers.
Check Point claimed Samsung devices are most vulnerable to the bug because they don’t feature any authenticity checks for OMA CP message senders.
Huawei, LG and Sony devices feature authentication, but hackers only need the IMSI of a recipient to pass these checks. This could be obtained via rogue Android apps, the researchers claimed.
Another option for attackers is to send a target a text message posing as a network operator asking them to accept a PIN-protected OMA CP message. If the user enters the PIN, accepting the message, the malicious settings will be installed.
It’s unclear exactly how many users could be affected but given the large market share of Samsung and Huawei and the huge global Android user base, it could top one billion.
“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” said Check Point security researcher Slava Makkaveev.
“Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning. When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone.”
Fortunately, the researchers worked responsibly with the affected vendors to fix the problem, disclosing their findings back in March.
Samsung apparently fixed the issue in a Security Maintenance Release for May (SVE-2019-14073), LG released a fix in July (LVE-SMP-190006), and Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones.
Only Sony could be letting its customers down by refusing to acknowledge the vulnerability. According to Check Point, the Japanese handset maker told the firm its devices follow the OMA CP specification.