Security experts revealed that more than half of modern Android smartphones, including models by Sony, LG, Samsung, and Huawei are vulnerable to a text-based phishing attack.
According to security firm Check Point Software Technologies, malicious actors are using fake phone provisioning messages to trick Android phone users into accepting new settings that provide access to attackers. The researchers stated that the phishing attack is performed through a process called over-the-air (OTA) provisioning.
Check Point detailed the attack process as OMA CP (Open Mobile Alliance Client Provisioning) instructions, which is a special SMS sent by a mobile operator to new devices for network connection. Attackers sending fake OMA CP messages to users, which allow them to allegedly access the victim’s email and web traffic, Check Point stated.
“The industry standard for OTA provisioning, Open Mobile Alliance Client Provisioning (OMA CP), includes rather limited authentication methods; a recipient cannot verify whether the suggested settings originate from his network operator or from an imposter. We found that phones manufactured by Samsung, Huawei, LG, and Sony allow users to receive malicious settings via such weakly-authenticated provisioning messages. Samsung phones compound this by allowing unauthenticated OMA CP messages as well,” Check Point said in a statement.
Check Point stated that it reported the discovered flaws to mobile manufacturers. “We disclosed our findings to the affected vendors in March. Samsung included a fix addressing this phishing flow in their Security Maintenance Release for May (SVE-2019-14073). LG released its fix in July (LVE-SMP-190006). Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones. Sony refused to acknowledge the vulnerability, stating that their devices follow the OMA CP specification. OMA is tracking this issue as OPEN-7587,” the statement added.