Attackers can launch SMS phishing attacks to remotely change settings on a victim’s Android device, researchers at Check Point have found. These attacks take advantage of weak authentication in Open Mobile Alliance Client Provisioning (OMA CP), which is the industry standard for over-the-air (OTA) provisioning. OTA provisioning allows mobile providers to set up new phones on their networks. The researchers found that attackers could send these OTA provisioning messages as well.
“To send OMA CP messages, an attacker needs a GSM modem (either a $10 USB dongle, or a phone operating in modem mode), which is used to send binary SMS messages, and a simple script or off-the-shelf software, to compose the OMA CP,” they write. “The phishing CP messages can either be narrowly targeted, e.g. preceded with a custom text message tailored to deceive a particular recipient, or sent out in bulk, assuming that at least some of the recipients are gullible enough to accept a CP without challenging its authenticity.”
In Check Point’s proof-of-concept, the researchers demonstrated that an attacker could fairly easily craft messages that could trick a user into accepting settings that would route all of the victim’s Internet traffic through an attacker-owned proxy.
Samsung and LG released fixes for the vulnerability earlier this year. Huawei says it plans on mitigating the flaw in the next generation of its smartphones, and Sony refused to acknowledge the vulnerability at all. A huge number of Android smartphones are still vulnerable to this type of phishing attack, so users need to be wary. New-school security awareness training can help your employees stay up-to-date on the latest attacks.
Check Point has the story: https://research.checkpoint.com/advanced-sms-phishing-attacks-against-modern-android-based-smartphones/