[Security Advisory] Samsung leaves it’s Android Smartphones with WAP-Push Feature Open to Attacks (one sms to rule them all)

Samsung is currently the biggest smartphone vendor in the world. Their Android based smartphones also have the hugest market share among all vendors.

They recently updated multiple devices to Android 4.0.x and more are on the waitlist. Android Smartphones with ICS from Samsung support WAP Push messages to enable the user to receive Logos, Ringtones etc.

The default setting for WAP Push messages is set to always accept which leaves these Smartphones open to attacks.

There are two kind of WAP Push Messages:

Attack 1.) Service Indication Message (SI) will present a message on the device with an embedded URL. The user can open the message and follow the URL by one click.

The senders number is not displayed by the device. The user is unable to verify who sent this message and if the contained link can be trusted. This leaves room for either social engineering, phishing or, if an exploit exists a compromise of the whole device. Obviously this kind of sms also allows malicious people to sent anonymous messages to their victims.

Attack 2.) Service Load Message (SL) will allow a provider to push software updates to the device or let logos or ringtones be pushed to the device.

A service load message can be configured in the way it should be received by the target device. Among others one option is to force the target device to load the defined content from a URL without interacting with the user. Again the senders number is not displayed by the device. If such a forced message is received by the device it will open the default browser and either display the URL defined in the message or download the targeted payload from the URL. This can be any filetype, even an APK. In case of an APK the user gets asked to if he will install the file. If sideloading is activated in the device settings the provided file will be installed.
If the browser contains a vulnerability this kind of message can be used to fully compromise the device.

Risk Mitigation: Open the SMS App and Press Menu -> Settings. Go to “Push message settings” and either disable the service, or if you need it set “Service loading” to “Prompt” or “Never”. To test if your devices is vulnerable you can use HushSMS for Android to send WAP Push SI and WAP Push SL messages.

Screenshot of a received WAP Push SI message.