05 Nov 2012

Android Vulnerability Opens Door to SMS Phishing Scams

Researchers with North Carolina State University unveiled a flaw in some popular Android platforms - including Gingerbread, Ice Cream Sandwich and Jelly Bean - that can be used to send bogus text messages from the vulnerable devices as part of smishing (SMS-Phishing) scams.

"The vulnerability allows a running [untrusted] app on the phone to fake an incoming SMS text message with arbitrary content, including the text message itself as well as the 'sending' phone number, which can be your friend in the contact list or simply your trusted banks," explains Xuxian Jiang, computer science professor with NC State University and coordinator of this project.

Apparently no elevated application permissions are needed to make this kind of SMS phishing scam work.

The researchers suspect this vulnerability might affect all recent Android platforms. They found it in Android Open-Source Project and so far managed to confirm Samsung’s Galaxy Nexus, Nexus S, Galaxy S III, HTC’s One X and Inspire, Xiaomi MI-One as  vulnerable to such exploitation.  

Xuxian Jiang is optimistic about a speedy fix for this flaw, since Google was very quick to consider Jiang’s team research and admit to the vulnerability. The research team was, however, reluctant in giving many details about the flaw. They said the vulnerability was difficult to detect, but is extremely easy to exploit once discovered.

Before Google releases its fix, users can protect themselves by downloading and installing applications only from trusted sources and by handling all SMS text messages with extreme caution.