Advanced Android SMS Phishing


Attackers can launch SMS phishing attacks to remotely change settings on a victim’s Android device, researchers at Check Point have found. These attacks take advantage of weak authentication in Open Mobile Alliance Client Provisioning (OMA CP), which is the industry standard for over-the-air (OTA) provisioning. OTA provisioning allows mobile providers to set up new phones on their networks. The researchers found that attackers could send these OTA provisioning messages as well.

“To send OMA CP messages, an attacker needs a GSM modem (either a $10 USB dongle, or a phone operating in modem mode), which is used to send binary SMS messages, and a simple script or off-the-shelf software, to compose the OMA CP,” they write. “The phishing CP messages can either be narrowly targeted, e.g. preceded with a custom text message tailored to deceive a particular recipient, or sent out in bulk, assuming that at least some of the recipients are gullible enough to accept a CP without challenging its authenticity.”

In Check Point’s proof-of-concept, the researchers demonstrated that an attacker could fairly easily craft messages that could trick a user into accepting settings that would route all of the victim’s Internet traffic through an attacker-owned proxy.

Samsung and LG released fixes for the vulnerability earlier this year. Huawei says it plans on mitigating the flaw in the next generation of its smartphones, and Sony refused to acknowledge the vulnerability at all. A huge number of Android smartphones are still vulnerable to this type of phishing attack, so users need to be wary. New-school security awareness training can help your employees stay up-to-date on the latest attacks.

Check Point has the story:

Request Your Security Awareness Training Quote

products-KB4SAT6-2Old-school awareness training does not hack it anymore. Your email filters have a ~10% failure rate; you need a strong human firewall as your last line of defense. KnowBe4 is your platform for new-school security awareness training. We help you keep your users on their toes with security top of mind. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will. Find out how affordable this is for your organization and be pleasantly surprised.

Get A Quote Now

Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews