igor - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Insecure Android provisioning could lead to phishing attacks

Researchers say many -- if not most -- Android smartphones are at risk of SMS-based phishing attacks that trick users into installing malicious OTA provisioning settings.

Researchers unveiled potential SMS-based phishing attacks that exploit Android provisioning settings and could impact most users.

Artyom Skrobov and Slava Makkaveev, security researchers at Check Point Software Technologies, studied Android devices made by Samsung, Huawei, LG and Sony -- which combined account for more than 43% of the smartphone market globally -- and discovered all were susceptible to attacks using SMS messages containing malicious over-the-air (OTA) client provisioning (CP) settings.

The researchers said wireless carriers normally use OTA provisioning "to deploy network-specific settings to a new phone joining their network," but the industry standard for such messages include "rather limited authentication methods." As such, the receiver cannot verify the authenticity of Android provisioning messages and in some cases a threat actor could launch an attack using nothing more than "a GSM modem and a simple script."

If an attacker can trick a user into installing malicious Android provisioning settings, the attacker could change server settings related to MMS, email, calendar or contacts, or route all traffic through proxy servers.

"To target victims using Samsung phones, the attacker can send them unauthenticated OMA CP messages, specifying a proxy that he controls," the researchers wrote in their analysis. "We emphasize that there is no authenticity check for the attacker to overcome: all that is needed is for the user to accept the CP."

The researchers noted that Samsung phones were the only ones tested that did not authenticate Android provisioning messages; attacks against Huawei, LG or Sony phones required the attacker obtain the International Mobile Subscriber Identity (IMSI) numbers of potential victims -- which they described as "roughly equivalent to an IP address" -- or trick victims into accepting the settings with a PIN code.

Makaveev told SearchSecurity that although they only tested devices from those four manufacturers, it "is very likely" that more Android phones would be susceptible to this form of attack. Makaveev added that "the carriers should filter out CP messages sent by their subscribers who don't have a legitimate reason to send CP," in order to mitigate the risk.

The researchers noted that Samsung and LG have already released patches to secure the Android provisioning flow and Huawei is planning fixes in the future, but "Sony refused to acknowledge the vulnerability, stating that their devices follow the [Open Mobile Alliance] OMA CP specification."

The industry standard for client provisioning is set by Open Mobile Alliance, a non-profit standards body, and the latest specification was set in 2009. The Open Mobile Alliance did not respond to requests for comment on whether new specifications with stronger authentication requirements are in the works.

"Our research shows that the security implications of OMA CP remain relevant even a decade later. The basic distribution of Android doesn't handle OMA CP messages, but many vendor implementations do, as OMA CP is the industry standard for OTA provisioning," the researchers wrote. "Its specification allows (but does not require!) CP messages to be authenticated using USERPIN, NETWPIN, or other methods, which are less widely used."

Dig Deeper on Mobile security threats and prevention

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Who do you think should take responsibility for securing Android provisioning -- the Open Mobile Alliance, cell phone vendors or Google?
I would prefer if it if they would just give me the ability to do it myself.  I am apparently quite a bit more stringent than most of the carriers either in North America or Europe.  I'd also like to order my phone sans the backdoor, thank you kindly.  

Instead I get a handset that come pre-loaded with unremovable (unless I root/jailbreak the phone) apps that I have to patch so that I don't get hacked through one of them.  Those same apps I never wanted keep asking for increasing levels of permissions each time they update.  Why does an app I never wanted and never use need access to my camera or my microphone or my contacts?  

It's my device.  I don't care what the "agreement" says.  If I have to hand over that much of my hard earned cash, it should be MY device and not just one you "let" me use. 

I don't see why I can't remove every app on it short of phone, messages, and the app store. I get that it needs "phone" and "messages" to be a phone.  But literally every other app on there should be ones I've chosen and ones that, should they earn my ire, can be removed or replaced.  We had this battle with desktops and laptops already.  I don't see why my phone, which is essentially a computer, is immune from that legal decision.  

As for the store, there should be classes of applications.  Ones that have been scanned, approved and vetted as not containing malicious code.  Ones that have been through some fully automated process,etc.  All the way down to ones that just got uploaded to the store.  I should be able to filter the store based on this.  

I should be able to get it repaired without having to go to your special store.  Frankly, I never want to talk to another support person who thinks they're a genius.  In reality, they're about 1/10th as smart as they think they are and generally far less polite than New Yorkers on the subway.  

I should be able specify which apps can use which encryption key pairs without the cell carrier being able to access the private keys on the device so I can actually have some privacy.