Security researchers from Context IS have uncovered serious vulnerabilities in a number of premium Samsung Galaxy phones which allow attackers to crash devices using a single SMS message and initiate ransomware attacks.
The report is part of a series which aims to show “how, even in 2017, SMS-based attacks on Android phones are still viable”. As longtime readers might recall, iOS too was vulnerable to such attacks — but that was nearly two years ago. While the report focuses on Samsung’s Android handsets, the researchers suggest that the vulnerabilities could be found in other vendors’ smartphones as well.
Here’s the gist of it: by using WAP Push and the Open Mobile Alliance Client Provisioning (OMA CP) protocol, the researchers were able to send a specially crafted SMS message to change the Wi-Fi access point settings and crash the Galaxy devices. This attack vector requires no user intervention, which makes it all that more dangerous.
The researchers say that attackers could undo the damage by sending a second SMS to revert the changes made. And this is where the ransomware opportunity presents itself. The good news is that there is a way to get around it.
Affected users could say no to any ransom demands, and perform a factory reset to get their device to work again. Things are much easier for rooted users, because their elevated permissions allow them to send a command via ADB to delete the “default_ap.conf” file, which is modified via the SMS.
Of the devices the researchers tested, the vulnerable handsets include the Galaxy S4, Galaxy S4 Mini, Galaxy S5 and Galaxy Note 4, which are still pretty popular in major markets. Newer handsets like the Galaxy S6 and Galaxy S7 are not affected. More good news is that Samsung has been informed of these vulnerabilities and released fixes.
The Context IS researchers say that Samsung was informed of these vulnerabilities in mid-June 2016. Samsung issued an update, that fixes all of the discovered security issues a couple of months later — on November 7. Chances are that, by now, it is generally available.
However, it is up to the users to get the update. Without it installed attackers can exploit these vulnerabilities and crash devices at will — even if affected users factory reset their smartphones, they will remain vulnerable until the update is installed.