Being hacked remains a top concern of many, regardless of what type of a device they are using. With most of us having a smartphone in our pockets at any given time, having our phones hacked is always a concern.
It can’t be much scarier then to know that you could be hacked by someone sending just one text message to you. A major security flaw in Androids has left over a billion devices vulnerable to such a hack.
Android Text Hack
The Check Point Software Technologies cyber security firm researchers identified the security flaw in Android phones, noting they could be hacked with just one SMS text message. That’s all it would take to gain access to your emails.
With 2.5 billion devices globally using the Android mobile OS, it makes it the world’s most popular operating system. This makes security flaws in the system potentially catastrophic, affecting Samsung, Huawei, LG, Sony, and other Android-based phones.
Affected Android phones use over-the-air (OTA) provisioning, allowing mobile networks to use network-specific settings for a new phone that joins the network.
Researchers found that the OTA industry standard, Open Mobile Alliance Client Provisioning (OMA CP), includes limited methods for authenticating. It can be easily exploited by hackers who pose as a network operator and send phony OMA CP SMS messages to users.
Users who receive this text message are tricked into accepting malicious settings. These settings can route all their Internet traffic through a proxy server that is owned by the hackers. This enables them to have access to the users’ emails.
While most Android phones are vulnerable to this hack, the researchers found that Samsung phones are more vulnerable to this hack than others because they don’t have an authenticity check for OMA CP message senders. As long as the user accepts the CP, the malicious software will be installed without the sender needing to be authenticated.
“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” said Slava Makkaveev, a security researcher at Check Point.
“Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning. When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept,’ they could very well be letting an attacker into their phone.”
For Huawei, LG, and Sony phones, hackers need the Internatonal Mobile Subscriber Identity (IMSI) of the user to authenticate.
Attackers can gain access to a user’s IMSI in different ways. They can create an app that reads the IMSI once it’s installed, or they can bypass the need for an IMSI by sending a text message to the user that poses as the network operator and asks them to accept an OMA OP message that is PIN-protected. Once the message is accepted and the user enters the PIN, the IMSI is no longer needed.
Staying Safe
As always, the best way to remain up to date. Samsung addressed this flaw with their May release, LG addressed it with a fix in July, and Huawei is planning on fixing it in the next generation of its smartphones. Sony claims their devices already follow the OMA CP specification.
Are you an Android user who is now concerned over rogue text messages you may receive, allowing you to be hacked? Tell us below in a comment.
