The affected Android phones use over-the-air (OTA) provisioning, through which cellular network operators can deploy network-specific settings to a new phone joining their network. However, Check Point Research found that the industry standard for OTA provisioning, the Open Mobile Alliance Client Provisioning (OMA CP), includes limited authentication methods. Remote agents can exploit this to pose as network operators and send deceptive OMA CP messages to users. The message tricks users into accepting malicious settings that, for example, route their Internet traffic through a proxy server owned by the hacker.