Researchers discovered how over a billion Android phones are susceptible to advanced phishing attacks. Users are tricked into accepting supposed new phone settings that will then route their internet traffic to a proxy server owned by the attacker.
Android Phones Vulnerable To Attack
Researchers at Check Point Research revealed a security flaw that makes certain Android phones vulnerable to phishing attacks. A billion Android devices including Huawei, LG, and Sony units are said to be susceptible to such attacks, but Samsung devices are said to be the most vulnerable.
The affected Android devices use over-the-air (OTA) provisioning which allows networks to deploy network-specific settings to a new phone. However, researchers found that anyone can send OTA provisioning messages to devices because the industry standard Open Mobile Alliance Client Provisioning (OMA CP) has limited authentication methods. Simply put, users would not be able to distinguish whether the suggested settings they receive via SMS are actually from the network or from an imposter.
Huawei, LG, Sony, and Samsung make up over 50 percent of all Android phones as of 2018, and users of the first three brands can receive the malicious settings because of weakly-authenticated messages. As for Samsung devices, they are deemed the most vulnerable because they evidently allow unauthenticated OMA CP messages.
Advanced Phishing Attack
Once users are tricked into accepting the new phone settings, all their internet traffic could be rerouted to a proxy server that is controlled by the attackers. This would then give the attackers access to their emails or log-in details, for example.
The researchers disclosed their findings to manufacturers, and some have already released fixes to their devices. Samsung released a Security Fix last May, while LG released theirs in July, and Huawei is already planning to release UI fixes in the next Mate- and P-series smartphones. LG, however, is firm that its devices follow the OMA CP specifications.
“This attack flow enables anyone who has a cheap USB modem to trick users into installing malicious settings onto their phones,” Artyom Skrobov and Slava Makkaveev of Check Point Research note. “We verified our proof of concept on the Huawei P10, LG G6, Sony Xperia XZ Premium, and a range of Samsung Galaxy phones, including S9.”