Security News

Critical flaw found in many Android smartphones

Avast Security News Team, 5 September 2019

Android phones made by Samsung, Huawei, LG, and Sony have been found to have a major vulnerability.

Cybersecurity researchers have identified a critical flaw in the Android smartphones built by Samsung, Huawei, LG, and Sony, whereby a bad actor could potentially infiltrate a victim’s phone using a phony provisioning message. Mobile operators send out provisioning messages as SMS texts when they make internal changes to their systems, and the messages request user approval to change the device’s network settings. The vulnerability was disclosed to the smartphone makers in March this year. Forbes reported estimates that as many as 1.25 billion Android users could be at risk. 

In addition to network providers, large enterprises also make use of the provisioning message protocol, for instance to configure employee devices with the company’s email server. ZD Net reported that the researchers were able to send phony provisioning messages to smartphones made by the four developers mentioned above, and all were received without issue. 

This means that bad actors could also take advantage of sending provisioning messages to users, tricking them into modifying their devices to reroute email or web traffic through a malicious server. Because this is a new attack vector, users will most likely trust these fraudulent yet official-looking texts at first. If they don’t suspect anything is wrong, they will automatically grant the permission, essentially putting their most sensitive information in the criminals’ hands. 

“All software is bound to have vulnerabilities, and this is no exception,” Avast Security Evangelist Luis Corrons reminds us. “What really makes a difference is the diligence these companies take to fix the problem and protect their users. I strongly recommend we put our trust in brands that take security seriously and are able to react quickly with a solution.”

Samsung, Huawei, and LG have already issued patches for the flaw while Sony has not.  Here’s what each company has done: 

    • Samsung included a fix in its Security Maintenance Release for May

    • LG sent out a fix in their July Security Bulletin

    • Huawei plans to include the fix in its next generation of Mate series and P series mobile phones

    • Sony Mobile has not issued a fix and so far has refused to acknowledge the vulnerability, according to ZD Net


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.