Researchers have baldheaded a new kind of “advanced” phishing attack targeting Android phones that can trick users into installing awful settings on their devices that are bearded as banal arrangement agreement updates.

The attack, appear by cybersecurity firm Check Point Research today, has been found to be acknowledged on most modern Android phones, including the Huawei P10, LG G6, Sony Xperia XZ Premium, and Samsung Galaxy S9. But any phone active Android can be targeted this way.

Given that Samsung, Huawei, LG, and Sony annual for more than 50 percent of all Android phones, the scope of the attack is understandably far broader in scope.

According to the report, threat actors leverages over-the-air (OTA) accessories — a address often used by telecom operators to deploy carrier-specific settings on new accessories — to ambush all email cartage to and from Android phones using bogus SMS messages.

“A remote agent can trick users into accepting new phone settings that, for example, route all their Internet cartage to steal emails through a proxy controlled by the attacker,” wrote advisers Artyom Skrobov and Slava Makkaveev.

The vulnerability can be exploited at all times throughout the day as long as the phones are affiliated to their carrier networks. Wi-Fi hotspots, however, are not impacted.


Troublingly, all a cybercriminal is needs is a GSM modem, which can then be used to celerity a accessories bulletin to the advised victims by accepting hold of their all-embracing mobile subscriber character (IMSI) numbers, a number that abnormally identifies every user of a cellular network.

The accessories bulletin follows a format — Open Mobile Alliance Client Accessories (OMA CP) — defined by Open Mobile Alliance, but they are also weakly accurate — acceptation a almsman cannot verify whether the suggested settings originated from their carrier or from a fraudster trying to assassinate a man-in-the-middle attack.

After Check Point abreast appear its allegation in March, all companies with the barring of Sony have issued patches or are planning to fix the vulnerability in accessible releases. Samsung tackled the flaw in its May aegis update (SVE-2019-14073), while LG fixed it in July (LVE-SMP-190006).

Huawei intends to plug the accomplishment in its accessible smartphones, per Check Point, but it’s not fully clear if the US-China trade war will cause added complications. Sony, for its part, is currenty afraid to the accepted OMA CP specification, with OMA tracking this issue separately.

Threat actors have long gone after assorted methods to stage all sorts of phishing attacks. But the idea that an antagonist can send custom SMS letters to change the arrangement and internet settings in the device via clever social engineering campaigns is very concerning.

The takeaway, ultimately, is that you should be acute about installing annihilation untrusted on your device, abnormally things that are delivered via text letters or linked in texts.

Read next: Nasty Glupteba malware uses Bitcoin blockchain to keep itself alive