Home SecurityOS Security SMS-based provisioning messages enable advanced phishing on Android phones

SMS-based provisioning messages enable advanced phishing on Android phones

by ethhack

Attackers can abuse a special type of SMS messages used by mobile operators to deliver internet settings to Android phones to launch credible phishing attacks that result in users’ internet traffic being hijacked. According to researchers from Check Point Software Technologies, some phone makers’ implementations of the Open Mobile Alliance Client Provisioning (OMA CP) standard allows anyone to send special provisioning messages to other mobile users with a $10 GSM modem and off-the-shelf software.

OMA CP messages allow mobile operators to deploy network-specific settings such as MMS message server, mail server, browser homepage and internet proxy address to new devices joining their networks. When such a message is received, users are prompted to confirm that they accept the settings, but the researchers found there is no indication who the message is from on devices from Samsung, Huawei, LG and Sony.

This can enable some very credible phishing attacks since most users will just assume the message came from their operator and agree to install the settings. The configuration can include a internet proxy controlled by the attackers, forcing the user’s internet traffic to be routed through that proxy. This would enable traffic snooping and other man-in-the-middle attacks.

The Android codebase does not include the functionality to handle OMA CP messages, so phone manufacturers have implemented this functionality on their own in the Android firmware for their devices. Because of this, there can be differences in how these messages are handled, including the user interface, between devices from different manufacturers.

OMA CP supports optional authentication through IMSI (international mobile subscriber identity) numbers or PINs, but the Check Point researchers found that Samsung’s OMA CP implementation accepted completely unauthenticated messages. This meant that anyone could send a message to another subscriber and prompt them to install new network settings.

On the tested Huawei, LG and Sony devices, the OMA CP messages needed authentication, but this is not hard to bypass. IMSI numbers, which are used to identify subscribers inside mobile networks, are supposed to be private in theory, but they’re not.

Copyright © 2019 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment