Mobile & Gadgets

How a single SMS can break your Samsung Galaxy Android phone

It’s hard to believe that it’s 2017, and we’re still talking about Android phones being compromised by boobytrapped SMS text messages.

Vulnerability researchers at Context IS disclosed last week that they uncovered flaws in Samsung’s Galaxy S4, S4 Mini, S5 and Note 4 Android smartphones that could be exploited by remote attackers to endlessly reboot targeted devices.

The security holes, which thankfully Samsung has now issued fixes for, are exploited via WAP configuration messages – pushed to targeted devices with minimum (or no) user interaction.

Understandably, there’s a significant problem if such malicious messages are blindly accepted without proper checking regarding their origin or content.

In a video of a laboratory test, Context IS’s research team showed how an Android phone could be attacked.

More modern Samsung Galaxy S6 and S7 devices are also vulnerable to the bugs, but only if the intended victim had been tricked into installing a malicious app onto their smartphones in advance.

Although the most recent versions of the Samsung Galaxy were clearly not as at much risk, the researchers observed that vulnerable earlier editions of the phone are surprisingly popular around the world.

smartphone-popularity

A constantly rebooting Android phone would be bad enough, but perhaps most worryingly the researchers paint a picture of how the vulnerability could be exploited to make money rather than simply disrupt activities.

According to Context IS, it would not be that hard to turn the attack into a potential ransomware scenario, with attackers demanding that a Bitcoin payment be made before a fix is sent (again, via a maliciously-crafted SMS message):

Given the reversible nature of this attack (a second SMS could be sent that restored the device to its unbroken state) it does not require much imagination to construct a potential ransomware scenario for these bugs.

The message is clear. If you have a Samsung Android phone, make sure that you are keeping up-to-date with your security patches.

That, of course, is good advice for users of any smartphone user – and is particularly pertinent when it comes to these particular vulnerabilities.

That’s because the vulnerability researchers are concerned that similar attacks might also be possible on Android phones made by other manufacturers, and not just Samsung:

It is left as an exercise for the reader to investigate how this technology is handled by other vendors!

In the past, iPhone users have also been advised to update their devices following threats posed by Class 0 SMS messages (also sometimes called Flash SMS messages).

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

8 Comments

Click here to post a comment

  • Near useless motherhood statement, endlessly repeated — "make sure that you are keeping up-to-date with your security patches.". The Telcos distribute the Android phones with customised firmware and they simply do not provide any updates, you CAN'T keep up to date with the patches when there aren't any! They're not interested in updates, they're interested in selling connectivity (and a new handset)

    • No, it's not.

      For years, the vast majority of people with devices that have gone past the 18-month update window guaranteed by the vendor were able to point their browsers to XDA, pick a third-party ROM compiled for their device and flash it on. Sure, it involves getting your hands a little dirty with unlocking the bootloader and changing the default recovery. Sure, it involves a little typing in the terminal. But distros like CyanogenMod – may it rest in peace – for instance have come up with the one-click root-unlock-flash toolkit. The only requirement is that the user either has an "open" device (like the OnePlus, Nexus, Pixel and so on) or to have a phone model that is popular enough to have a compiled version of the ROM available. And maybe we should start taxing phone vendors who turn their back away as soon as you bought the device. Or maybe we should start picking up smartphones not based on their looks or tremendous features, but to the only tremendous feature that really matters – the ability to get software updates one version after another for the entire lifespan of the device.

      • "No, it's not"

        Here's my comment: Do you really think the _average_ user even knows about XDA, much less has the confidence and skill needed to install one of those images successfully?

        Most do not, and are left to the "mercies" of a three tier patch rollout model that barely works at all. The fact that there is an alternative doesn't mean it's a good option for most users. I for one sure as heck wouldn't be sending my parents off to "download and install a patched ROM" … they'd look at me as if I had just grown horns. Getting a patch _has_ to be a single step event for the user, otherwise it's simply not going to happen.

        This issue is one of my big sore points with the business model wrapped around Android. It sucks. It's frustrating, and it makes an otherwise fairly decent mobile device inappropriate for so many users.

        • I completely see your point but user ignorance should not be an excuse for lack of security. I'll expand on that in a bit.

          Most smartphones are bought with different requirements in mind: better camera, larger screen estate, aesthetics and so on. SLA or future updates are hardly a point on pretty much anybody's checklist. And they get what they want at the expense of having to change their phone once every 12 to 18 months. That's why me and my kin usually go for "open", "actively supported" phones like Nexuses or the ubiquitous OnePlus – when official support is capped, we can move to a third-party ROM and squeeze two or three more years of usage.

          Sure, the Android update model sucks and does not work for teh average Joe. What's to be done?

          A. Get educated fast;
          B. Live in ignorance and support the potential consequences;
          C. Get an iPhone

          I feel your pain but that's how the system works.

      • Are you serious? My grandma thinks xda is a new bloodpressure med. She doesn't know her phone is running Android. She thinks it's, well, a phone, not a computer. The majority of the world don't know how to reset a phone let alone root it and flash a custom ROM. Get a grip.

        • Luckily, your grandma has a grandson who is tech-savvy and knows what XDA is. It's our duty as gearheads to watch for the loved ones.

          My mom has no idea about how Android works or how it gets updated. But every once in a while, I take the time to stop by and flash her device while she brews a fresh pot of coffee. And this is pretty much what I'm doing for my technically-challenged friends and friends of friends after I give them the "warranty is now void" lecture.

  • With the constant threat of cyber attacks as smart phones aren't immune to the attacks as earlier versions of Samsung's S-series and apple's I-phones could be infected. After the trouble prone Samsung S7 isn't immune to being attacked as hackers could have created a SMS to get into the end user's android smartphone as the damage was done as programming could have disabled battery cooling as the battery pack heats up until it finds a weak spot before the phone could have exploded right in the middle of a call as the end user has bits of metal and plastic embedded in their face and neck. Other times during a text message the phone could have exploded sending shrapnel into the end users skull. As smartphone makers constantly have to offer security patches as part of an upgrade as the only option was the end user accept automatic upgrades. what if hackers posed as those from the maker as the end user learnt they could have been a victim of ransom-ware as they could have been forced into upgrading as the hackers demand a bitcoin payment before putting a secure lock on the smartphone as without the code the phone is more as a paperweight.

    • You can't easily hijack the update process because the phone's bootloader and recovery validates the boot process and/or the updates to be installed. Often times, it is this type of enhanced validation that prevents the user from taking security into their own hands and compile their own version of Android. Also, there is no such thing as battery cooling. It's not like a battery pack has a fan on top of it to help it stay cool. Sure, a lot of things can go wrong in software, but we're still a long way away from hackers being able to set a handset on fire.