More than a billion Android phones are vulnerable to phishing attacks

WASHINGTON (Reuters) – More than a billion Android smartphones, including phones from the world's biggest manufacturers, are vulnerable to cyber attacks that could steal personal information, researchers warned on Monday.

Researchers at the security company Check Point have discovered a new type of advanced phishing attacks targeting Android phones. They can therefore cause users to install malicious settings on their devices via fake messages that appear to come from network providers.

The attacks have proven effective for most modern Android phones, including the Huawei P10, LG G6, Sony Xperia XZ Premium and Samsung Galaxy S9. All Android phones can be targeted this way. .

Since Samsung, Huawei, LG and Sony account for more than 50% of Android phones, it is clear that the scope of the attack is much wider.

This flaw allows hackers to steal users' email addresses via fake SMS messages designed to intercept incoming and outgoing email on Android phones.

According to the report, hackers take advantage of online services (OTA), a technology often used by telecom operators to deploy enterprise-specific settings on new devices.

Researchers Artyom Skrobov and Slava Makkaveev wrote: A remote hacker can cause users to accept new phone settings, for example, direct all Internet traffic to email theft via an attacker-controlled proxy.

The bug can be exploited at any time of day, provided the phones are connected to their mobile networks, but the wireless access points are not affected.

According to the researchers, anyone connected to a cellular network could be the target of such attacks because SMS do not require that the victim's device be connected to a wireless network, and only one message is required to access fully to the emails of the device.

Disturbingly, all that the attackers need is a GSM modem, which can then be used to send the message to the intended victims by acquiring IMSI numbers, a number that uniquely identifies each user of the cellular network.

The message follows a model defined by the Open Mobile Consortium – which defines some of the basic criteria used by the networks, but with poor authentication, which means that the recipient can not verify whether the suggested parameters are provided by the carrier or a carrier. Attacker attempting to lead the attack.

All companies, with the exception of Sony, have posted fixes or are planning to fix the vulnerability in future releases, after the release of the results by Check Point in March.

Samsung has corrected the bugs in the May security update (SVE-2019-14073), while LG has fixed it in July (LVE-SMP-190006), while Huawei plans to include this fix in the next generation of phones from the Mate series. (P).