SMS-Phishing Vulnerability on Android

News Article - Thursday, 08 November 2012 09:28

By: Kerry Butters Category: Security

Google’s Android mobile OS has come in for a lot of criticism over the past couple of years or so, with malicious apps on the rise all the time.

Now researchers have found a new vulnerability which they refer to as a potential "smishing” flaw in all of the popular Android platforms. These allow an app which is already running to "fake arbitrary SMS text messages, which will then be received by phone users”.

This has led them to believe that the vulnerability is open to exploitation for Android phones to launch phishing attacks. Critically, the flaw which is built- into Gingerbread, Ice Cream Sandwich, and Jelly Bean, doesn’t need permission from an exploiting app to launch an attack.

Researchers suspect that the vulnerability exists in "all recent Android platforms” including the new Samsung Galaxy SIII, the Google Nexus range and many new HTC handsets. When they approached Google with the problem, the vulnerability was confirmed within two days and Google are said to be "investigating it without delay”.

Further releases of Android OS’ will not contain the flaw and at the moment, researchers say they are not aware of any active exploitation of the vulnerability.

"For responsible disclosure, we will not publish the details of the vulnerability until an ultimate fix is out,” said Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University.

Before a fix is issued, the researchers warn Android users to be aware of the risk and be cautious about the apps they download, always checking permissions. It’s also important to pay close attention to SMS messages received so that users are not "duped” into falling for a phishing attack.

For a demo clip to view how the flaw works, the research team has set up a YouTube video clip, explaining the problem in more detail. They have also performed follow-up tests and found that the problem also dates back to earlier versions of the OS.

Recent Articles