Vulnerability lets text messages steal emails from Android phones

Devices from Samsung, LG, Huawei and Sony are affected.

Bogus text messages aren't just being used to send you to malicious websites or crash your phone -- in some cases, they can hijack your emails. Check Point Research has discovered a vulnerability in phones from Huawei, LG, Samsung and Sony that lets attackers use custom SMS to intercept all email traffic on target devices. The attack uses the common Open Mobile Alliance version of over-the-air provisioning, a carrier technique for deploying settings to new phones, to access emails. The attacks require different methods depending on the phone and available info (such as IMSI numbers and requesting PIN codes), but the result is the same: intruders trick users into compromising their phones through messages that pose as network settings changes.

The problem stems in part from the way the provisioning works. While it supports provisioning through relatively secure methods like PIN codes, it doesn't require them. And it's usually down to individual vendors to decide how to implement this format rather than platform creators like Google, leading to inconsistent security. Affected Samsung devices, for instance, don't need any authentication at all to fall victim.

This variety also affects how secure your device is. Some vendors have been better at addressing the problem than others. Samsung fixed the flaw through a May update, while LG released its patch in July. Huawei, however, said it wouldn't deliver interface fixes until the next wave of Mate and P-series phones. You might have to wait weeks or months to get a solution, if you get one at all. Sony, meanwhile, reportedly "refused to acknowledge" the flaw and would only say that it followed the Open Mobile Alliance spec. Your Xperia might remain vulnerable unless there's a change of heart.

This wouldn't be as much of an issue if it weren't for the scale of the issue and the relative ease of launching attacks. Combined, the vendors represent more than half of all Android phones. And all you need to instigate the attack is a GSM modem (or phone in modem mode) and basic software to compose the messages. You can protect yourself by refusing these messages, but this could be a significant problem unless more Android vendors fall in line.