Google’s Android mobile OS has come in for a lot of criticism
over the past couple of years or so, with malicious apps on the rise all the
Now researchers have found a new vulnerability which they
refer to as a potential "smishing” flaw in all of the popular Android platforms. These allow an app which is already
running to "fake arbitrary SMS text messages, which will then be received by
This has led them to believe that the vulnerability is open
to exploitation for Android phones to launch phishing attacks. Critically, the
flaw which is built- into Gingerbread, Ice Cream Sandwich, and Jelly Bean,
doesn’t need permission from an exploiting app to launch an attack.
Researchers suspect that the vulnerability exists in "all
recent Android platforms” including the new Samsung Galaxy SIII, the Google
Nexus range and many new HTC handsets. When they approached Google with the
problem, the vulnerability was confirmed within two days and Google are said to
be "investigating it without delay”.
Further releases of Android OS’ will not contain the flaw
and at the moment, researchers say they are not aware of any active
exploitation of the vulnerability.
"For responsible disclosure, we will not publish the details
of the vulnerability until an ultimate fix is out,” said Xuxian Jiang, Associate
Professor, Department of Computer Science, NC State University.
Before a fix is issued, the researchers warn Android users
to be aware of the risk and be cautious about the apps they download, always
checking permissions. It’s also important to pay close attention to SMS
messages received so that users are not "duped” into falling for a phishing
For a demo clip to view how the flaw works, the research
team has set up a YouTube
video clip, explaining the problem in more detail. They have also performed
follow-up tests and found that the problem also dates back to earlier versions
of the OS.