A flaw found in Samsung, Huawei, LG and Sony smartphones could allow hackers to read every email exchange by the owner
More than a billion Android phones were left vulnerable to phishing attacks that allowed hackers access to devices via a simple text message.
According to research from cyber security company Check Point, the flaw was present in Samsung, Huawei, LG, Sony and other Android-based phones but has now largely been fixed.
It would have left users vulnerable to “advanced phishing attacks” that allowed hackers reroute internet traffic through a proxy server owned by the hacker, which is sometimes known as a man-in-the-middle cyber security attack (MITM).
This would have allowed them to effectively eavesdrop on their online activity or even read emails.
Slava Makkaveev, security researcher at Check Point Software Technologies, said: “Given the popularity of Android devices, this is a critical vulnerability that must be addressed.
“Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning (OTA).
According to Makkaveev, the method of the attack would mean users would have no way of discerning that the message is from a hacker and would be the same as “letting an attacker into their phone”.
How did the Android phishing hack work?
The Android phishing hack exploited a feature in the phones that allows mobile network providers to remotely deploy settings to phones that have recently signed up.
The Check Point researchers found there were “limited authentication methods” for what is an industry standard.
It meant hackers could pose as mobile operators to send deceptive messages to the mobile user that ask them to accept malicious settings.
The cyber security researchers claim this added an extra layer of threat to the Android hack because users had no means of verifying who was sending them the SMS messages.
Check Point Research informed the vendors that were affected by the vulnerability in March this year.
Samsung claimed that it takes security seriously and aims to provide a “safe and secure experience for our customers”.
Samsung and LG responded by issuing a fix in May and July updates, while Huawei is planning to address the phishing issue in its next generation of smartphones.