Samsung, LG, Huawei and other Android phones vulnerable to SMS phishing attacks

Samsung, LG, Huawei and other Android phones vulnerable to SMS phishing attacks”

Even after getting patches, researchers recommended users not to blindly trust messages from your mobile carriers or APN settings available on the Internet claiming to help users with troubleshooting issues in data carrier services.

Sony meanwhile refused to acknowledged the vulnerability, saying its phones follow the OMA-CP specification.

Researchers determined that certain Samsung phones were the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of OMA CP messages.

According to a new report Check Point shared with The Hacker News, weakly-authenticated provisioning messages implemented by some device manufacturers-including Samsung, Huawei, LG, and Sony-can allow remote hackers to trick users into updating their device APN settings with malicious attacker-controlled proxy servers. "Samsung phones compound this by allowing unauthenticated OMA CP messages as well", the researchers say in a report released today.

The phishing CP messages can either be narrowly targeted, for example, preceded by a custom text message carefully crafted to fool a specific individual, or sent out in bulk, in the hope that at least a few of the recipients are gullible enough to accept it without questioning its legitimacy.

In terms of defending or blocking attacks, Check Point advised that consumers should always be careful about what settings they approve and install on their phones, and ideally installing a mobile security solution for checking the networks they are connected to.

To run an attack, the threat actor would need a GSM modem (priced around $10) or a phone running in modem mode to send binary messages, and a simple script to compose thee OMA CP. Coming back to the weaknesses Check Point researchers identified in the authentication of provisioning messages, specifications the industry-standard recommends to make OTA provisioning secure doesn't mandate carriers to properly authenticate CP messages using USERPIN, NETWPIN, or other methods.

Just An SMS Could Let Remote Attackers Access All Your Emails, Experts Warn

To target some of the susceptible phones, the attacker needs to know the device's International Mobile Subscriber Identity (IMSI) number, Check Point admitted, but added this may not be hard.

Attackers can obtain a victim's IMSI in a variety of ways, including creating a rogue Android app that reads a phone's IMSI once it is installed.

Devices from Huawei, LG, and Sony were a little bit more secure, as they required the sender of an OMA CP message to provide the phone's IMSI code before accepting the message.

However, Check Point's researchers demonstrated that anyone can send OTA provisioning messages.

"Given the popularity of Android devices, this is a critical vulnerability that must be addressed", said Slava Makkaveev, security researcher at Check Point Software Technologies. On the mobile network side, operators can block the delivery of OMA CP messages that did not originate from their own equipment.

Samsung patched the flaw after Check Point disclosed it in March, along with LG in July.

Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones. Samsung and LG already rolled out an appropriate fix.

Like this



06 September 2019
IFA 2019: Acer Takes Gaming To New Level With 300Hz Display
The Acer Swift 5 and Swift 3 will be available in India by September end, starting at Rs 69,999 and Rs 59,999 respectively. This means it weighs just 990g and is 14.95mm thin, but thankfully that's the only thing that the Swift 5 is packing.

06 September 2019
US, China to resume trade talks in Washington in October
A reading above 50 indicates expansion in the sector, which accounts for more than two-thirds of United States economic activity. Trade teams from the two countries will hold talks in mid-September before the high-level talks next month, the ministry said.

06 September 2019
Steam Library Update Coming September 17
Valve will soon introduce an entirely refreshed way to manage your Steam games, including VR titles. Certainly I know I have trouble navigating the hundreds of games in my library.

06 September 2019
Brooke Richardson texted 'My belly is back OMG' after alleged baby slay
The doctors chose to call law enforcement and authorities would later discover the baby's skeletal remains buried in the backyard. But Richardson's defense team has argued that the messages have been taken out of context.

06 September 2019
PM's brother quits as Tory MP and minister
Jo Johnson had been a member of Parliament for Orpington, a district on the southeast of London, since 2010. The speech marked the latest salvo in a continuing standoff between Mr.

06 September 2019
Total and Associates Greenlit Russian Artic LNG 2 Development Venture
Founded in 1994, Novatek describes itself as the largest independent natural gas producer in Russian Federation . "The Japanese government will provide all necessary assistance for the realization of this project", he said.

06 September 2019
State Police Arrest Fotis Dulos on New Charge or Charges [UPDATING]
She left with her attorney, Andrew Bowman, a short time later. "We're letting the judgment in this case rest in the jury's hands". Dulos "was believed to have been lying in wait" for her to return from dropping their children off at school, the warrant states.

06 September 2019
Vegetarians, vegans have higher stroke risk than meat eaters, study claims
In addition, those who eat only fish and practice a no-meat diet, also called a pescatarian diet, show a 13 percent reduced risk. The rest, a little more than half, were on a traditional diet featuring a variety of meat, legumes, fruits and veggies.

06 September 2019
UAW Targets GM In Talks
About 96% of members approved potentials strikes during talks with Fiat Chrysler, Ford Motor and General Motors (GM). Roughly 158,000 auto workers will have their wages and benefits decided by this coming round of negotiations.

05 September 2019
Saaho Box Office Collection Day 6: Prabhas' Film Earns Over 109 Crore
With the opening weekend being just a little lesser than Rs. 80 crores, sky was the limit for this mega budget biggie. That haul marks the third-highest gross of 2019 after Bharat (Rs 42.30 crore) and Mission Mangal (Rs 29.16 crore).