Cybersecurity researchers warned Wednesday of malicious software in text messages pretending to be from telecom carriers, opening a door for hackers to attack Android smartphones.
A report released by Check Point described a "new class of phishing attacks" that, when successful, can let hackers steal emails from Android smartphones made by Huawei, LG, Samsung and Sony.
The attack hinges on text messages made to appear as though they are coming from trusted telecom carriers requesting to update network settings, according to Check Point.
Allowing the "over-the-air provisioning" on a smartphone will give the attacker access to emails, the report indicated.
"When you first join a new carrier network, you'll get a warm welcome message from your carrier — do not trust it," said Check Point security researcher Slava Makkaveev.
"Simply, we can't trust those texts anymore."
The attack can be executed at large-scale without any special gear, just a USB dongle that can be bought for $10 or so, according to Check Point.
Researchers said they tested the attack on an array of smartphones and notified respective device-makers of their findings early this year.
Samsung and LG fixed the vulnerability in security software updates, and Huawei planned to do the same in its next generation of Mate and P series smartphones, the researchers said.
"Although patches are in motion with named Android vendors, messages from trusted mobile carriers are, in fact, not to be trusted," the security firm contended.
The report comes days after Google researchers reported on a hacking operation that allowed attackers to plant malicious software on iPhone over a period of at least two years.
Researchers have also expressed concern about "SIM swap" fraud that enables an attacker to take over a phone number, and potentially other accounts, a trick used in the brief takeover of the Twitter account of the platform's chief executive Jack Dorsey.
Twitter nixes tweets by text after CEO account hack
Washington (AFP) Sept 4, 2019 –
Twitter on Wednesday halted users' ability to fire off tweets via text messages as it seeks to fix a vulnerability that led to CEO Jack Dorsey's account being hijacked.
Dorsey last week was the target of so-called "SIM swap" fraud, which enables a hacker to trick a mobile carrier into transferring a number — potentially causing people to lose control not only of social media, but bank accounts and other sensitive information.
This type of attack targets a weakness in the use of "two-factor authentication" via text message to validate access to an account, a break-in method that has grown popular in recent years.
"We're temporarily turning off the ability to Tweet via SMS, or text message, to protect people's accounts," the Twitter support team wrote on the platform.
"We're taking this step because of vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication."
The San Francisco-based service added that as it works on a long-term solution to the problem, tweeting via text message eventually will be turned back on in markets where users rely on that technique.
Even with considerable security precautions in place, Dorsey became the victim of the embarrassing compromise when attackers hijacked his phone number and took control of his Twitter account.
Dorsey's account was restored after a brief period during which the attackers posted a series of offensive tweets.
Some analysts say hackers have found ways to easily get enough information to convince a telecom carrier to transfer a number to a fraudster's account, especially after hacks of large databases that result in personal data sold on the so-called "dark web."
"Mobile accounts' text messages can be hijacked by sophisticated hardware techniques, but also by so-called 'social engineering' — convincing a mobile provider to migrate your account to another, unauthorized phone," said R. David Edelman, a former White House adviser who heads a cybersecurity research center at the Massachusetts Institute of Technology.
"It only takes a few minutes of confusion to make mischief like Dorsey experienced."
