Be aware of this new risk of phishing on Android. The principle is based on an SMS proposing a false update of the network parameters. 1.25 billion Android smartphones are affected worldwide, mainly from major manufacturers such as Samsung, Huawei, LG and Sony.

Understand the principle of this new threat

It was the cybersecurity firm Check Point that recently unveiled this flaw on the Android smartphones.

In this new form of SMS phishing, hackers may succeed in modifying the network settings of the user’s Android phone. To do this, they skillfully use an update method normally used by mobile operators (or businesses for business phones).

It is recalled that phishing, also called in French phishing, consists in recovering from a user sensitive and personal data (passwords, etc.)

Concretely here, the user receives an SMS including an update of network parameters of his smartphone. If the user accepts the installation, the result is formidable. Without knowing it, his web traffic is then redirected to a proxy server held by pirates.

This proxy server then acts as an intermediary between the user’s smartphone and the internet. So hackers can spy on all web traffic that goes through the smartphone: messaging, emails, etc.

Video demonstration of the implementation of this phishing attack

Check Point has published a video in which it uncovers this phishing technique. We see successively:

    • the user’s smartphone in its initial state, with the absence of a proxy server in its network access configuration of its mobile operator
    • the hacker sending the “Over The Air” SMS, offering the smartphone user to update their network settings
    • after acceptance by the user, the network settings of his smartphone now have a proxy server address
    • in the rest of the video, the user uses his smartphone normally, and the hacker sees his web traffic on his PC: emails, messages, etc.
See also  beta 4 brings back the essential Wi-Fi switch

Video demonstration of this flaw, by the cybersecurity firm Check Point

The flaw: a lack of sender authentication for network parameter updates

The attack seems disconcerting: redirecting web traffic from a smartphone to spy on it through a proxy intermediary server, just by sending its user an SMS to install new network settings.

These OTA (Over The Air) messages are based on a standard called the Open Mobile Alliance Client Provisioning (OMA CP).

This standard was last updated in 2009. In particular, it lacks the functionality ofadvanced sender authentication on such SMS, especially since authentication is not mandatory:

  • on phones Samsung, authentication is not required. The user just has to accept the update sent in the SMS
  • on phones Huawei, LG and Sony, hackers must obtain the smartphone’s IMSI number (International Mobile Subscriber Identity). It’s a little better, but not unstoppable. This IMSI number is in fact communicated when granting the right ” read phone status To an Android application. A malicious application the user installs could allow hackers to retrieve this IMSI number. Hackers can also send the network settings update SMS without being able to retrieve the phone’s IMSI number. In this case, a PIN code is requested from the user for the installation: hackers could communicate the PIN code to the user, for example by pretending to be his mobile operator.

How to protect yourself against this new threat?

The good news is that the Check Point firm informed the affected smartphone manufacturers in private, before revealing the flaw publicly. So, remember to do the system updates of your Android smartphone, because the main manufacturers have taken this flaw into consideration:

  • Samsung addressed this flaw in its May 2019 update (SVE-2019-14073)
  • LG also incorporated a fix in its June 2019 update (LVE-SMP-190006)
  • Huawei has said it is taking this into account for its next smartphones, but for the moment does not appear to have made any corrections to existing models.
  • Sony has not made any updates at this point
See also  Nvidia launches RTX 3080 Ti and RTX 3070 Ti up to 150% more powerful than RTX 2000

If in doubt, you can also check in your network access settings if a proxy server address is not entered without your knowledge. Depending on your phone, the menu should be of the following type: Settings> Networks and wireless> Mobile data> Access point / APN.

Finally, stay vigilant on everything related to updating network parameters. Knowing the existence of this type of attack already makes it easier to be wary. If in doubt about a received SMS offering an update of the network parameters, you can also contact your mobile operator to check with them whether the SMS is legitimate or not.

About the author


Leave a Comment