Researchers have discovered that newer Android phones are vulnerable to phishing attacks via binary Short Messaging Service (SMS) provisioning texts that can be used to alter crucial device settings and re-route data traffic.
Security vendor Check Point found that the Open Mobile Alliance Client Provisioning (OMA-CP) industry standard for provisioning does not provide a way for recipients to verify if the SMS messages arrived from a network operator or an attacker.
Through relatively inexpensive and simple means, attackers can craft OMA-CP extended markup language scripts sent via SMS that, if users accept them, can change settings such as the proxy server address, browser home page and bookmarks as well as email and directory servers for contacts and calenders.
Users who receive the SMS messages transmitted as Protocol Data Units (PDUs) won't be able to discern where they come from as the modal dialog presented on the device screen does not convey sender information.
OMA-CP is not part of the basic Google Android distribution, but Check Point said that many phone vendors add the feature to their customised versions of the mobile operating system.
While it's possible to add authentication to OMA-CP messages via unique International Mobile Subscriber Identity (IMSI) codes, or PINs, the over-the-air provisioning standard dating back to 2001-2009 does not require it.
Even with IMSI authentication, it is relatively easy for attackers to find out the identity codes.
Check Point alerted the makers of the device tested and of these, Samsung has pushed out a fix in its May security maintenance release, and LG released a patch in July this year.
Huawei said it plans to include user interface fixes for OMA-CP in the next generation of Mate and P series smartphones.
Sony meanwhile refused to acknowledged the vulnerability, saying its phones follow the OMA-CP specification.
Huawei P10, LG G6, Sony Xperia XZ Premium and Samsung's Galaxy range of phones were tested by Check Point.