Android SMS phishing vulnerability discovered

Android SMS phishing vulnerability discovered

Gingerbread, Ice Cream Sandwich and Jelly Bean all affected

Article comments

A vulnerability that could be exploited to send deceptive text messages from some Android devices as part of a phishing scheme has been uncovered by a researcher at North Carolina State University.

Particularly worrisome is the fact that the vulnerability doesn't need any elevated app permissions in order to function, according to NCSU computer science professor Xuxian Jiang.

"The vulnerability allows a running [untrusted] app on the phone to fake an incoming SMS text message with arbitrary content, including the text message itself as well as the 'sending' phone number, which can be your friend in the contact list or simply your trusted banks," Jiang said.

The flaw is apparently present in the Android Open-Source Project, and some versions of the software ranging from 1.6 (Donut) to 4.1 (Jelly Bean) are vulnerable. Jiang said that his team has been able to exploit it on the Samsung's Galaxy Nexus, Nexus S and Galaxy S III, HTC's One X and Inspire, and the Xiaomi MI-One.

Jiang praised Google for reacting quickly, confirming the presence of the vulnerability within two days of receiving the team's report. He expressed hope that a rapid patch would be forthcoming.

Jiang did not provide full technical details of the flaw, citing responsible disclosure issues, although he did describe the vulnerability as difficult to detect but easy to exploit, once found.

Jiang has been at the forefront of the discovery of several other Android security flaws, including, in June, a rootkit attack that might have allowed malicious software to be concealed on an affected device. He is the founder of the Android Malware Genome Project, an academic investigation of security threats affecting the platform.

Share:

Comments

  • Trevor Hawthorn The key here is to make users into smart skeptics regardless of the technology being used The only way to correct Pavlovian user behavior is to immerse users in on-going trainingFull disclosure Im one of the founders at wwwthreatsimcom
  • Jay Ferrari This speaks to the overarching reality that phishing takes myriad forms Device apps operating system browser -- all can be targeted which means users have to be on their game regardless of the medium or means by which they interconnect
Advertisement
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *