The Israeli threat intel biz reckons that a single malicious SMS can pwn a targeted device, allowing an attacker to do such nefarious things as intercepting emails, text messages and so on.
"Given the popularity of Android devices, this is a critical vulnerability that must be addressed," thundered Slava Makkaveev, a Check Point researcher.
"Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air (OTA) provisioning."
OTA provisioning, in Gemalto's explanation of the term, is used to "communicate with, download applications to, and manage a SIM card without being connected physically to the card".
If you've ever received a text message from your mobile network telling you to reboot your phone or that new settings have been applied to your SIM, you've received an OTA update.
Security storm brewing for Oracle Java-powered smart cards: More than a dirty dozen flaws found, fixes... er, any fixes?