This attack vector relies on a process called over-the-air (OTA) provisioning, which is normally used by cellular network operators to deploy network-specific settings to a new phone the first time the phone joins their network.
However, sending OTA provisioning messages is available to anyone and everyone.
To send OTA messages, an attacker needs a USB dongle and a simple script, or alternatively, a piece of off-the-shelf software, to compose the message.
The basic distribution of Android (AOSP) does not allow OTA messages, but Samsung implementation does.
To target victims using Samsung phones, the attacker can send them unauthenticated Client Provisioning (OMA CP) messages.
There is no authenticity check for the attacker to overcome: all that is needed is for the user to accept the OMA CP.
OTA provisioning message is the perfect phishing attack. A recipient cannot verify whether the suggested settings originate from his network operator, or an imposter.
They do not even know what will actually be configured. Through one OTA message an attacker can trick users into routing all their Internet traffic through a controlled proxy.
Browser homepage, browser bookmarks and many other settings can be changed as well.
Samsung Vulnerability ID: SVE-2019-14073.