Cyber threat intelligence provider Check Point Research disclosed this week what it says is a flaw in some Android smart phones that enables hackers to send bogus messages that trick users into entering malicious settings that could, among other things, route traffic through a proxy server controlled by the hacker.
The security loophole in essence could leave Android phones from Samsung, Huawei, LG, Sony, and other makes vulnerable to what Check Point calls “advanced phishing attacks,” Check Point says.
All told, some 1.244 billion Android smart phones were shipped globally in 2017, the latest year for which numbers were available. In the United States, Android phone models account for a 51% share of the smart phone base. Consumers use Android phones with mobile wallets such as Alphabet Inc.’s Google Pay and Samsung Electronics Co. Ltd.’s Samsung Pay for mobile payments. It is not clear whether the security flaw would affect these payments, but an industry expert says transactions completed by various payment methods could be vulnerable as they flow across the hacker’s server. The intruder “can see all your Internet traffic, including point-of-sale data,” says Alissa Knight, a security expert and senior analyst at Aite Group, a Boston-based financial-services consultancy.
Google and Samsung did not immediately respond to requests for comment from Digital Transactions News.
“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” said Slava Makkaveev, security researcher at Check Point Software Technologies, the San Carlos, Calif.-based parent company of Check Point Research, in a statement.
Check Point says its researchers in March showed their results to the affected companies. It adds that Samsung responded with a fix in May, and LG in July did likewise. It says Huawei is planning to introduce fixes “in the next generation of Mate series or P series smart phones.” Sony, it says, disagreed that the vulnerability affected its devices.
The flaw involves a process called over-the-air provisioning, which allows mobile networks to install settings in newly sold phones on their systems. According to Check Point, the industry method for this process, the Open Mobile Alliance Client Provisioning (OMA CP) standard, leaves open an avenue by which phishers can send messages to users that gull them into installing settings that can route traffic through the phisher’s proxy server.
Attackers overcome authentication technology on some phones by tricking users into revealing their International Mobile Subscriber Identity or by getting them to accept a bogus OMA CP message, Check Point says.
“Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning. When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept,’ they could very well be letting an attacker into their phone,” says Makkaveev.