Researchers at N.C. State have found a new vulnerability in Android phones and devices, and Google has confirmed it.
Google says the problem will be addressed in a future Android release.
The vulnerability includes devices running Gingerbread, Ice Cream and Jelly Bean platforms for Android.
The problem involves SMS-phishing, or “smishing.”
Wikpedia defines this as:
“Smishing is a form of criminal activity using social engineering techniques similar to phishing. The name is derived from “SMs phISHING”. SMS (Short Message Service) is the technology used for text messages on cell phones.
“Similar to phishing, smishing uses cell phone text messages to deliver the “bait” to get you to divulge your personal information. The “hook” (the method used to actually “capture” your information) in the text message may be a web site URL, however it has become more common to see a phone number that connects to automated voice response system.”
Notes NCSU: ”If an Android user downloads an infected app, the attacking program can make it appear that the user has received an SMS, or text, message from someone on the phone’s contact list or from trusted banks. This fake message can solicit personal information, such as passwords for user accounts.”
NCSU’S Xuxian Jiang and his research team discovered the problem.
“For responsible disclosure, we will not publish the details of the vulnerability until an ultimate fix is out,” Jiang said. “However, we think all recent Android phones are vulnerable.”
Jing advised users “to be cautious when downloading and installing apps (particularly from unknown sources). As always, it is important to pay close attention to received SMS text messages, in order to avoid being duped by possible phishing attacks.”
The full advisory from NCSU:
“While continuing our efforts on various smartphone-related research projects, we came across a smishing (SMS-Phishing) vulnerability in popular Android platforms. This vulnerability allows a running app on an Android phone to fake arbitrary SMS text messages, which will then be received by phone users. We believe such a vulnerability can be readily exploited to launch various phishing attacks.
“One serious aspect of the vulnerability is that it does not require the (exploiting) app to request any permission to launch the attack. (In other words, this can be characterized as a WRITE_SMS capability leak.) Another serious aspect is that the vulnerability appears to be present in multiple Android platforms — in fact, because the vulnerability is contained in the Android Open Source Project (or AOSP), we suspect it exists in all recent Android platforms, though we have so far only confirmed its presence in a number of phones, including Google Galaxy Nexus, Google Nexus S, Samsung Galaxy SIII, HTC One X, HTC Inspire, and Xiaomi MI-One. The affected platforms that have been confirmed range from Gingerbread ((2.3.x), Ice Cream Sandwich (4.0.x), and Jelly Bean (4.1).
“We notified the Google Android Security Team on 10/30/2012 and were — as always — impressed to receive their response within 10 minutes. The confirmation of the vulnerability presence arrived on 11/1/2012 — two days after our initial report. From their response, we can infer that they took this issue seriously and investigated it without delay.
“The vulnerability is now confirmed and we was told that a change will be included in a future Android release. We are not aware of any active exploitation of this issue.
“For responsible disclosure, we will not publish the details of the vulnerability until an ultimate fix is out. However, we would like to inform the public about the potential risk, which is the reason why we have created this webpage.
“Before the ultimate fix is out, this threat can be mitigated in several ways. For example, users are encouraged to be cautious when downloading and installing apps (particularly from unknown sources). As always, it is important to pay close attention to received SMS text messages, in order to avoid being duped by possible phishing attacks.
“Finally, we’d like to thank the Android Security Team for verifying the presence of this vulnerability and keeping us informed as this fix progresses.”