Insecure Android provisioning could lead to phishing attacks

Researchers unveiled potential SMS-based phishing attacks that exploit Android provisioning settings and could impact most users.

Artyom Skrobov and Slava Makkaveev, security researchers at Check Point Software Technologies, studied Android devices made by Samsung, Huawei, LG and Sony -- which combined account for more than 43% of the smartphone market globally -- and discovered all were susceptible to attacks using SMS messages containing malicious over-the-air (OTA) client provisioning (CP) settings.

The researchers said wireless carriers normally use OTA provisioning "to deploy network-specific settings to a new phone joining their network," but the industry standard for such messages include "rather limited authentication methods." As such, the receiver cannot verify the authenticity of Android provisioning messages and in some cases a threat actor could launch an attack using nothing more than "a GSM modem and a simple script."

If an attacker can trick a user into installing malicious Android provisioning settings, the attacker could change server settings related to MMS, email, calendar or contacts, or route all traffic through proxy servers.

"To target victims using Samsung phones, the attacker can send them unauthenticated OMA CP messages, specifying a proxy that he controls," the researchers wrote in their analysis. "We emphasize that there is no authenticity check for the attacker to overcome: all that is needed is for the user to accept the CP."

The researchers noted that Samsung phones were the only ones tested that did not authenticate Android provisioning messages; attacks against Huawei, LG or Sony phones required the attacker obtain the International Mobile Subscriber Identity (IMSI) numbers of potential victims -- which they described as "roughly equivalent to an IP address" -- or trick victims into accepting the settings with a PIN code.

Makaveev told SearchSecurity that although they only tested devices from those four manufacturers, it "is very likely" that more Android phones would be susceptible to this form of attack. Makaveev added that "the carriers should filter out CP messages sent by their subscribers who don't have a legitimate reason to send CP," in order to mitigate the risk.

The researchers noted that Samsung and LG have already released patches to secure the Android provisioning flow and Huawei is planning fixes in the future, but "Sony refused to acknowledge the vulnerability, stating that their devices follow the [Open Mobile Alliance] OMA CP specification."

The industry standard for client provisioning is set by Open Mobile Alliance, a non-profit standards body, and the latest specification was set in 2009. The Open Mobile Alliance did not respond to requests for comment on whether new specifications with stronger authentication requirements are in the works.

"Our research shows that the security implications of OMA CP remain relevant even a decade later. The basic distribution of Android doesn't handle OMA CP messages, but many vendor implementations do, as OMA CP is the industry standard for OTA provisioning," the researchers wrote. "Its specification allows (but does not require!) CP messages to be authenticated using USERPIN, NETWPIN, or other methods, which are less widely used."