[SingCERT] Over-The-Air Provisioning Phishing Attacks Against Android Devices

Published on 07 Sep 2019

Updated on 23 Oct 2019

Background
Researchers from Check Point revealed a security flaw in Android-based devices that leaves the device owner vulnerable to phishing.

Affected devices are those that utilise over-the-air (OTA) provisioning. OTA is used by telecommunication operators (telcos) to push mobile data network settings to subscribers' mobile devices. Due to weak authentication method in the OTA, an attacker can pose as a telco to send rogue provisioning messages to subscribers.

Unwary subscribers who accept such rogue settings will have their device's traffic redirected to an attacker's server instead of the telco's server.

Affected Versions
Most Android devices are affected; susceptibility varies between manufacturers, i.e. Samsung, Huawei, LG.

Samsung has addressed this issue their May 2019 update, and LG in their Jul 2019 update; while others, such as Huawei, are planning to launch the fix in future patches.

Impact
Successful exploitation allows an attacker to perform a man-in-the-middle attack to spy on the subscribers.

Recommendations
Android device owners are reminded to be vigilant of any OTA provisioning message prompt sent to them. They can check their mobile data network settings with their respective telcos.

All users are advised to enable automatic updates, and install the latest security patch by their respective device manufacturer when prompted.

References
[1] https://research.checkpoint.com/advanced-sms-phishing-attacks-against-modern-android-based-smartphones/
[2] https://www.helpnetsecurity.com/2019/09/04/android-advanced-phishing-attacks/