Tuesday, February 27, 2024

How a Single SMS with WAP Crap can Break your Samsung Galaxy phone

Security researchers from Contextis disclosed a bug in Samsung Galaxy phones that can be triggered remotely with SMS, which when combined give chances to ransomware peddlers.

Samsung Mobile Security Team rushed to settle the issues, giving a good example of how coordinated disclosure should happen.

OMA CP protocol

WAP Push can be used to transport information for a large number of utilization. The application that got by researchers was the Open Mobile Alliance Client Provisioning (OMA CP) protocol that permits remote gadget provisioning and configuration.

Now let’s see if it works in practice. On Samsung Galaxy gadgets, including the S7 which was the freshest gadget then, OMA CP messages are dealt with by the “omacp” application.

Researchers used their SMS test rig to check some custom OMA CP SMS messages and send them to the gadgets.

As it turns out, our rig was able to send these messages to these devices and they were received and rightly processed, despite no authentication details being present in the message and completely ignores the security field of the message.


Then omacp app was analyzed to recognize any code streams where configurations are acknowledged without client cooperation. There were a few pieces of information this might be conceivable, for example, a check for “xcpSetBgInstall” which insights towards a conceivable background install.

A capacity called xcpInstallWifiSetting additionally appeared to dependably be called if there were settings inside the configuration message.


In order to trigger the bug over the air, they use to go back to the omacp app and work out the message format. The app makes use of a native C library “libomacp“, which handles the parsing of configuration messages – it’s finally time to crack open IDA and do some proper reversing.

After a bit of IDA Pro magic, they identified how to build a WBXML encoded WAP-Push message to set some Wi-Fi settings. In the process, we also found a WBXML parsing bug that is registered as CVE-2016-7990.


They also found a remote code execution on vulnerability on Samsung devices on the S5 and below, detailed in the following CVEs:

  • CVE-2016-7988 – No Permissions on SET_WIFI Broadcast receiver
  • CVE-2016-7989 – Unhandled ArrayIndexOutOfBounds exception in Android Runtime
  • CVE-2016-7990 – Integer overflow in libomacp.so
  • CVE-2016-7991 – omacp app ignores security fields in OMA CP message


The scientists watched that vulnerable earlier version of the phone are shockingly prevalent around the globe.

Single SMS with WAP Crap can Break Samsung Galaxy phone

As indicated by Context IS, it would not be that difficult to transform the assault into a potential ransomware situation, with attackers requesting that a Bitcoin installment is made before a settle is sent (once more, by means of a malevolently made SMS message):

Available Fixes

Given the reversible nature of this attack (a second SMS could be sent that restored the device to its unbroken state), it does not require much imagination to construct a potential ransomware scenario for these bugs.

Samsung has now released a security update that addresses these among other vulnerabilities and as is our usual advice, it is recommended that users prioritize the installation of these updates.

They got out disclosure of how the bugs apply to various phones as a practice for various developers.


Likewise Also Read; Within five attempts Android device’s Pattern Lock can be cracked


  • 17th June 2016 – Issues disclosed to vendor.
  • 21st June 2016 – Received acknowledgment from vendor.
  • 28th June 2016 – Received request for further details on one of the bugs.
  • 14th July 2016 – Received notification that all but one bug had been fixed.
  • 23rd August 2016 – Received notification from vendor that all issues are fixed and that patch would be released in October.
  • 7th October 2016 – Received notification from vendor that patch is delayed until Nov 7th.
  • 7th November 2016 – Patches released.

Latest articles

Hackers Abuse Telegram API To Exfiltrate User Information

Attackers have been using keywords like "remittance" and "receipts" to spread phishing scripts using...

ThreatHunter.ai Stops Hundreds of Attacks in 48 Hours: Fighting Ransomware and Nation-State Cyber Threats

The current large surge in cyber threats has left many organizations grappling for security...

WordPress Plugin Flaw Exposes 200,000+ Websites for Hacking

A critical security flaw has been identified in the Ultimate Member plugin for WordPress,...

Hackers Actively Hijacking ConnectWise ScreenConnect server

ConnectWise, a prominent software company, issued an urgent security bulletin on February 19, 2024,...

Heavily Obfuscated PIKABOT Evades EDR Protection

PIKABOT is a polymorphic malware that constantly modifies its code, making it hard to...

Anonymous Sudan Promoting New DDoS Botnet: Beware

It has come to light that a group known as Anonymous Sudan is actively...

Scattered Spider: Advanced Techniques for Launching High-Profile Attacks

Scattered Spider is a threat group responsible for attacking several organizations since May 2022...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles