Security experts have warned for some time that SMS messages are used by attackers to carry links to malware. A report issued today by Check Point Software warns many Android phones have a vulnerability that could allow an attacker to fake a message from their wireless carrier that ends up changing their settings and hijacking their email.
The attack vector exploits a process called over-the-air (OTA) provisioning, which is normally used by cellular network operators to deploy network-specific settings to a new phone joining their network. However, Check Point found anyone can send OTA provisioning messages that can trick users into accepting new phone settings because the messages have limited authentication. As a result a victim approving a change of settings could suffer a number of consequences, including the routing of a victim’s email traffic through an attacker-controlled proxy.
Check Point said it has successfully tried this phishing attack method against smart phones from Samsung, LG, Huawei and Sony. Those manufacturers were notified in March. Samsung included a fix addressing the issue in their Security Maintenance Release for May (SVE-2019-14073). LG released its fix in July (LVE-SMP-190006). Huawei is planning to include fixes in the next generation of its Mate series or P series smartphones. Check Point said Sony refused to acknowledge the vulnerability, stating that its devices follow the Open Mobile Alliance Client Provisioning (OMA CP) specification.
The OMA is tracking this issue as OPEN7587.
To target some of the susceptible phones, the attacker needs to know the device’s International Mobile Subscriber Identity (IMSI) number, Check Point admitted, but added this may not be difficult. One way to get the IMSI number is by infecting a phone with an Android application having the READ_PHONE_STATE permission enabled.
Another way, Check Point suggested, is sending a victim two messages. The first is a text message that purports to be from the victim’s network operator, asking him to accept a PIN-protected OMA CP, and specifying the PIN as an arbitrary four-digit number. Next, the attacker sends the victim an OMA CP message authenticated with the same PIN. The change in client provisioning can be installed regardless of the IMSI, provided that the victim accepts the CP and enters the correct PIN.
Check Point is warning Android device users to be cautious about accepting SMS messages that appear to come from their carrier, particularly if they ask for permission to change settings. It also hopes to persuade the Open Mobile Alliance to publish guidelines to device manufacturers about improving client provisioning security.
SMS-based attacks aren’t new. They’re useful for attackers because, like email, many users trust the messages they receive. As far back as 2011 attackers were forcing mobile phones to send premium-rate SMS messages or prevent them from receiving messages for long periods of time by leveraging a logic flaw in mobile telecommunication standards.
Applications that use SMS for carrying codes for two-factor authentication, instead of using more secure methods like Google Authenticator, are also vulnerable because SMS messages can be intercepted. Just over a year ago some Reddit staffers were victimized through an SMS-reset scam.