By Yael Macias, Threat Prevention Product Marketing
Research By: Artyom Skrobov, Slava Makkaveev
Check Point researchers recently discovered a vulnerability to advanced phishing attacks in a wide variety of Android phones, including models by Samsung, Huawei, LG and Sony, which account for more than 50 percent of the Android market). In these attacks, a remote agent can trick users into accepting new phone settings that could route all internet traffic through a proxy controlled by an attacker.
The vulnerability relies on a process called over-the-air (OTA) provisioning, which is normally used by cellular network operators to deploy network-specific settings to a new phone joining their network. You may not be familiar with the term OTA provisioning, but you most certainly have seen those SMS messages coming from operators you receive when crossing the borders of a country and landing in a foreign airport, or when changing mobile carriers. These messages are trigged when OTA provisioning occurs.
The vulnerability lies within this process. Because the industry standard for OTA provisioning – the Open Mobile Alliance Client Provisioning (OMA CP) – has limited authentication methods a recipient cannot verify whether the suggested settings originate from his network operator or from a threat actor. The vulnerable Android devices allow users to receive malicious settings and cannot verify whether the proxy the user is connecting to, is the operator’s or a hacker performing a Man-in-the-Middle attack.
Most users wouldn’t hesitate to click on a link delivered by a carrier’s SMS message telling them to configure their device to activate a data plan. Now imagine if it isn’t the carrier, but a hacker on the other end of the link
The scenario poses significant risk to both personal and corporate data contained on mobile devices. How can an organization ensure that their data is safe from advanced phishing attacks? When we speak about users believing that connectivity is at stake, they will always be the weakest link, but organizations cannot afford this liability.
SandBlast Mobile, the leading Mobile Threat Defense solution, prevents Man-in-the-Middle attacks over WiFi and cellular networks, so any attempt to intercept traffic and route it to a malicious proxy, would be prevented. Moreover, SandBlast Mobile’s unique security infrastructure, On-device Network Protection, blocks all phishing links and would detect any malicious behavior attempting to compromise a device and steal user’s data.
This discovery reminds us once again how mobile devices can be compromised even in the most unsuspected ways. Having a mobile security solution in place is no longer optional.
Check Point disclosed these findings to the affected vendors in March. Samsung included a fix addressing this phishing flow in their Security Maintenance Release for May (SVE-2019-14073). LG released their fix in July (LVE-SMP-190006). Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones. Sony refused to acknowledge the vulnerability, stating that their devices follow the OMA CP specification. OMA is tracking this issue as OPEN-7587.
For full technical details about this vulnerability please visit Check Point Research.
To learn more about how you can protect yourself from mobile malware, please check out SandBlast Mobile.