An SMS phishing attack against many modern Android phones could route all internet traffic through a proxy controlled by the attacker. The problem lies in weak (sometimes non-existent) authentication for over-the-air (OTA) provisioning.
OTA provisioning is used by network operators to deploy network-specific settings to new phones on the network. It is also used by corporations to deploy, for example, company email server addresses to employee devices. The industry standard for OTA provisioning is the Open Mobile Alliance Client Provisioning (OMA CP), which includes limited authentication; but an OTA recipient cannot verify whether the new settings have come from the genuine network operator, or an imposter.
Researchers from Check Point have found that this weak authentication can be used to ‘phish’ phone users into accepting false settings. The attack can be used against a number of Android phone manufacturers, including Samsung, Huawei, LG and Sony. In 2018, these four manufacturers provided more than 50% of all Android phones.
Check Point has reported its findings to all four companies. Samsung fixed the issue in its May security maintenance release. LG released a fix in July. Huawei plans to include fixes in the next generation of Mate series or P series smartphones. However, the researchers note that “Sony refused to acknowledge the vulnerability, stating that their devices follow the OMA CP specification. OMA is tracking this issue as OPEN-7587.”
It is worth noting that the basic Android distribution does not handle OMA CP, but that many of the vendor implementations add the capability. Any Android phone that accepts OTA provisioning is vulnerable to this attack.
All that is required for is a GSM modem (“either a $10 USB dongle, or a phone operating in modem mode” used to send the false OTA message), and a simple script to compose the OMA CP. This lends itself to spear-phishing with a preceding text message designed to deceive the target, or bulk phishing in the expectation that at least some of the recipients will accept the CP (client provisioning) without challenging its authenticity.
With Samsung phones, there is no authenticity check available. The recipient need only accept the CP for the new settings to be installed. For the other three manufacturers, an attacker in possession of the phones’ International Mobile Subscriber Identity (IMSI) number can mount an attack as effective as that against Samsung. IMSI is a unique identifier for every phone on a network. It is described as ‘pseudo-confidential’, but can be obtained from forward and reverse IMSI lookups (mobile number to IMSI and vice versa) that are cheaply available via commercial suppliers.
It can also be obtained via any Android app with the permission: ‘android.permission.READ_PHONE_STATE’. “Over a third of all Android apps released in the last three years already require this permission, so it wouldn’t raise any suspicion,” note the researchers.
With that IMSI number, the CP is automatically authenticated, and the user need only accept the suggestion for the settings to be changed. There is no indication in the CP notice of what settings will be changed, nor is the sender of the CP identified. However, the name of the genuine network provider can be included in the fraudulent message, making it appear to be genuine.
Where there is no IMSI number, or it cannot be obtained, the target can still be phished. This could be done with two messages. The first would purport to be from the user’s network operator and would ask the victim to accept a PIN-protected OMA CP and would provide the PIN. The second message would be the fraudulent OMA CP authenticated with the provided PIN.
If successful, an attacker can divert all the victims’ emails through his own server and have constant and covert access to their content. “Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” said Slava Makkaveev, security researcher at Check Point. “Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning. When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone.”
Related: Over-the-Air Update Mechanism Exposes Millions of Android Devices
Related: Mobile Malware and Mobile Attackers are Getting More Sophisticated
Related: ‘Tis the Season for Mobile Threats
Related: Government Surveillance Under Fire: What You Need to Know