Google Android users have been put on alert as shock new flaw could allow hackers to access personal data via a simple text.
The new discovered terrifying flaw could give cybercriminals access to personal data on a device with the hack taking place via a simple text message.
Report from the team at Check Point Research, says all affected Android phones, from the likes of Samsung, Sony and LG, use something called over-the-air (OTA) provisioning.
If used properly it offers official network providers the ability to push out specific settings to a new device.
However, it seems hackers could easily exploit this system with them then able to pose as a network and send deceptive messages to owners.
With the text looking like a note from their provider, its simple to see how many could then be tricked into installing malicious settings.
Researchers determined that certain Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of OMA CP messages.
The user only needs to accept the CP and the malicious software will be installed without the sender needing to prove their identity.
Check Point Research revealed this flaw to phone companies earlier this and it’s now vital that everyone makes sure their devices are fully up to date.
The researchers disclosed their findings to the affected vendors in March.
Samsung included a fix addressing this phishing flow in their Security Maintenance Release for May (SVE-2019-14073), LG released their fix in July (LVE-SMP-190006), and Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones.
If you own any device made by the firms above then check your settings and make sure you have the very latest software installed on your phone.
“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” said Slava Makkaveev, Security Researcher at Check Point Software Technologies.
“Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning. When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone.”