The terrifying flaw could give cybercriminals access to personal data on a device with the hack taking place via a simple text message.
According to the team at Check Point Research, all affected Android phones, from the likes of Samsung, Sony and LG, use something called over-the-air (OTA) provisioning.
With the text looking like a note from their provider, its simple to see how many could then be tricked into installing malicious settings.
Researchers determined that certain Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of OMA CP messages.
The user only needs to accept the CP and the malicious software will be installed without the sender needing to prove their identity.
Check Point Research revealed this flaw to phone companies earlier this and it’s now vital that everyone makes sure their devices are fully up to date.
Samsung included a fix addressing this phishing flow in their Security Maintenance Release for May (SVE-2019-14073), LG released their fix in July (LVE-SMP-190006), and Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones.
If you own any device made by the firms above then check your settings and make sure you have the very latest software installed on your phone.
“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” said Slava Makkaveev, Security Researcher at Check Point Software Technologies.
“Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning. When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone.”