Android smartphones from multiple vendors, including Samsung, Huawei, LG, and Sony, are susceptible to advanced type attack that can change the device settings via a short text message.
Bad actors can take advantage of the weakness to send notifications at first glance from the mobile operator and entice users to accept what appears to be a network-specific configuration. This can instruct the device to route traffic through a malicious proxy server.
Mobile operators can deliver messages to a client terminal through the Open Mobile Alliance Client Provisioning (OMA CP) protocol. It uses air communication (OTA) and requires minimal interaction from the recipient.
Check Point Researchers have found that the mobile carrier provisioning (OTA) process lacks a strong message authentication mechanism that comes from the network operator, not the unauthorized party.
For example, in second generation cellular technology (2G) there is no mutual authentication between the terminal and the network; only the phone must do this until the operator is required to certify at the terminal.
However, this threat does not depend on the type of cellular network. Slava Makaveev, one of the researchers investigating the problem, told BleepingComputer that it was a problem with the specification in the OMA CP protocol, which allows sending messages for provision without authentication.
If an authentication mechanism is in place, it is based on the International Mobile Subscriber Identification Number (IMSI), which is unique to each cellular network user.
Popular Brand Phones Sensitive
Researchers have found that Samsung, Huawei, LG and Sony phones, which in combination cover more than 50% of the Android phone market, can receive malicious settings through poorly-certified reports of provision. "Samsung phones connect to this by allowing unauthorized OMA CP messages," the researchers said in a report released today.
To launch an attack, the threatening actor will need a GSM modem (cost about $ 1
OTA security messages can be used to change the following phone settings:
• MMS messaging server
• MMS messaging server
• Proxy address
• Homepage and bookmarks Browser
• Mail Server
• Contacts and Calendar Synchronize Directory Servers
Attackers targeting Samsung phones can send malicious messages without needing to be authenticated. If users accept CP, the phone settings will be changed.
For other phones, the attacker will need the international mobile subscriber numbers (IMSI) of potential victims to launch the same attack as in the case of Samsung phone users. Northern methods are available to obtain the IMSI number.
Researchers say that OMA CP messages have an optional header protection to validate the delivery message. This must be verified by the IMSI number.
However, this check does not help the user in any way as they will not see details that would identify the sender.
Alternatively, if the IMSI number cannot be obtained, the attacker has another way of launching the attack but involves sending two messages to the victim.
Not all sellers released a patch
Check Point in March informed sellers affected by this vulnerability attack. Samsung and LG have already introduced an appropriate fix.
Huawei devices continue to be vulnerable to attack as the company plans to suppress the weakness in the next generation of Mate or P series from its smartphones.
Sony did not acknowledge the disadvantage that motivated their products to follow the OMA CP specification.