Advanced Android SMS Phishing


Attackers can launch SMS phishing attacks to remotely change settings on a victim’s Android device, researchers at Check Point have found. These attacks take advantage of weak authentication in Open Mobile Alliance Client Provisioning (OMA CP), which is the industry standard for over-the-air (OTA) provisioning. OTA provisioning allows mobile providers to set up new phones on their networks. The researchers found that attackers could send these OTA provisioning messages as well.

“To send OMA CP messages, an attacker needs a GSM modem (either a $10 USB dongle, or a phone operating in modem mode), which is used to send binary SMS messages, and a simple script or off-the-shelf software, to compose the OMA CP,” they write. “The phishing CP messages can either be narrowly targeted, e.g. preceded with a custom text message tailored to deceive a particular recipient, or sent out in bulk, assuming that at least some of the recipients are gullible enough to accept a CP without challenging its authenticity.”

In Check Point’s proof-of-concept, the researchers demonstrated that an attacker could fairly easily craft messages that could trick a user into accepting settings that would route all of the victim’s Internet traffic through an attacker-owned proxy.

Samsung and LG released fixes for the vulnerability earlier this year. Huawei says it plans on mitigating the flaw in the next generation of its smartphones, and Sony refused to acknowledge the vulnerability at all. A huge number of Android smartphones are still vulnerable to this type of phishing attack, so users need to be wary. New-school security awareness training can help your employees stay up-to-date on the latest attacks.

Check Point has the story:

Request A Quote: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your quote for KnowBe4's security awareness training and simulated phishing platform and find out how affordable this is!

Get A Quote Now

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews