It makes over a billion Android phones globally, including those made by Samsung and Huawei, which are at risk of being hacked by text messages.
As it turns out, you should be careful with text messages coming to your Android phone in the inbox.
A large security vulnerability in the Android operating system has left one billion phones vulnerable to being hacked by a plain and simple text message.
Check Point Research, through the intelligence arm of Check Point Software Technologies Ltd., reported that “Samsung, Huawei, LG, Sony and other Android-based phones have security flaws that leave users vulnerable to advanced phishing attacks.”
The security firm states that the hack works using the Over the Air (OTA) method that mobile network operators use to update new phones joining their networks, also known as OMA CP messages.
Researchers say that this method involves limited authentication methods. Therefore, remotely working hackers or anyone can use this route as a network operator that you just sent a misleading OMA CP message to Android phones.
The message can then trick users into accepting malicious settings that will start routing the phone’s incoming and outgoing Internet traffic through a proxy server owned by the hacker.
The Android phone user will not realize what is happening, and the data in the phone can be accessed by a hacker.
“Researchers determined that some Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for those who send OMA CP messages.
Check Point Research states that the user is only given CP and Malicious software will need to be accepted. Without requiring the sender to prove its identity.
Research also states that phones made by Huawei, LG and Sony have a form of authentication, but hackers only require the recipient’s phone’s International Mobile Subscriber Identity (IMSI) to confirm their identity.
And it’s not hard for attackers to get their hands on the phone’s IMSI details – this can be done by creating a rogue Android app that reads a phone’s IMSI once it’s installed or the attacker simply bypassing the need for an IMSI. Does.
Can present text messages as network operators and ask to accept PIN-protected OMA CP messages. If the user enters the provided PIN number and accepts the OMA CP message, CP can be set up without IMSI.
“Given the popularity of Android devices, this is an important vulnerability that must be addressed,” said Slav Makkwe, security researcher at Check Point Software Technologies.
Researchers say Samsung included a fix addressing this phishing flow in their security maintenance release for May (SVE-2019-14073), LG released its fix in July (LVE-SMP-190006),
And Huawei plans to include UI fixes in the OMA CP next generation smartphone, the Mate series or the P series.
Sony refused to accept the vulnerability, stating that their devices follow the OMA CP specification.