Saturday, June 15, 2024

How a Single SMS with WAP Crap can Break your Samsung Galaxy phone

Security researchers from Contextis disclosed a bug in Samsung Galaxy phones that can be triggered remotely with SMS, which when combined give chances to ransomware peddlers.

Samsung Mobile Security Team rushed to settle the issues, giving a good example of how coordinated disclosure should happen.

OMA CP protocol

WAP Push can be used to transport information for a large number of utilization. The application that got by researchers was the Open Mobile Alliance Client Provisioning (OMA CP) protocol that permits remote gadget provisioning and configuration.

Now let’s see if it works in practice. On Samsung Galaxy gadgets, including the S7 which was the freshest gadget then, OMA CP messages are dealt with by the “omacp” application.

Researchers used their SMS test rig to check some custom OMA CP SMS messages and send them to the gadgets.

As it turns out, our rig was able to send these messages to these devices and they were received and rightly processed, despite no authentication details being present in the message and completely ignores the security field of the message.


Then omacp app was analyzed to recognize any code streams where configurations are acknowledged without client cooperation. There were a few pieces of information this might be conceivable, for example, a check for “xcpSetBgInstall” which insights towards a conceivable background install.

A capacity called xcpInstallWifiSetting additionally appeared to dependably be called if there were settings inside the configuration message.


In order to trigger the bug over the air, they use to go back to the omacp app and work out the message format. The app makes use of a native C library “libomacp“, which handles the parsing of configuration messages – it’s finally time to crack open IDA and do some proper reversing.

After a bit of IDA Pro magic, they identified how to build a WBXML encoded WAP-Push message to set some Wi-Fi settings. In the process, we also found a WBXML parsing bug that is registered as CVE-2016-7990.


They also found a remote code execution on vulnerability on Samsung devices on the S5 and below, detailed in the following CVEs:

  • CVE-2016-7988 – No Permissions on SET_WIFI Broadcast receiver
  • CVE-2016-7989 – Unhandled ArrayIndexOutOfBounds exception in Android Runtime
  • CVE-2016-7990 – Integer overflow in
  • CVE-2016-7991 – omacp app ignores security fields in OMA CP message


The scientists watched that vulnerable earlier version of the phone are shockingly prevalent around the globe.

Single SMS with WAP Crap can Break Samsung Galaxy phone

As indicated by Context IS, it would not be that difficult to transform the assault into a potential ransomware situation, with attackers requesting that a Bitcoin installment is made before a settle is sent (once more, by means of a malevolently made SMS message):

Available Fixes

Given the reversible nature of this attack (a second SMS could be sent that restored the device to its unbroken state), it does not require much imagination to construct a potential ransomware scenario for these bugs.

Samsung has now released a security update that addresses these among other vulnerabilities and as is our usual advice, it is recommended that users prioritize the installation of these updates.

They got out disclosure of how the bugs apply to various phones as a practice for various developers.


Likewise Also Read; Within five attempts Android device’s Pattern Lock can be cracked


  • 17th June 2016 – Issues disclosed to vendor.
  • 21st June 2016 – Received acknowledgment from vendor.
  • 28th June 2016 – Received request for further details on one of the bugs.
  • 14th July 2016 – Received notification that all but one bug had been fixed.
  • 23rd August 2016 – Received notification from vendor that all issues are fixed and that patch would be released in October.
  • 7th October 2016 – Received notification from vendor that patch is delayed until Nov 7th.
  • 7th November 2016 – Patches released.

Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles