Hundreds of Google Play apps create spoofed messages in users' SMS inboxes, Symantec says
The technique could be used for SMS phishing attacks
IDG News Service - About 200 Android applications hosted on Google Play create spoofed SMS messages on the devices on which they are installed, according to security researchers from antivirus vendor Symantec.
This technique can theoretically be used for SMS phishing, a type of attack where users are asked for sensitive information or to subscribe to paid services through rogue SMS messages that appear to originate from a trusted source.
However, the applications detected so far use the technique for other purposes, like displaying advertisements, Mario Ballano, a security researcher at Symantec, said Monday in a blog post.
Last Friday, security researchers from North Carolina State University announced the discovery of a so-called "smishing" (SMS phishing) vulnerability in the Android Open Source Project (AOSP) -- the code that serves as the basis for most Android firmware created by phone manufacturers.
The vulnerability allows a running app without any special permissions to directly write text messages with spoofed sender addresses (telephone numbers) and arbitrary content in the user's SMS inbox.
"We believe such a vulnerability can be readily exploited to launch various phishing attacks," Xuxian Jiang, an associate professor in the Department of Computer Science at NC State University, said at the time. The Google Android Security Team was notified and confirmed that a change will be made in a future Android release to stop this behavior, he said.
However, the code to generate such spoofed SMS messages locally has been publicly documented and used since August 2010, Ballano said.
"We have recorded more than 250 applications that contain code using this technique including 200 that are currently available on Google Play with millions of combined downloads," the researcher said. "Some of the applications use the code to better integrate text messaging with instant messaging or other online services. The vast majority are using an ad-network software development kit (SDK), which pushes ads straight into your SMS inbox."
Even though Symantec has not yet detected an app that used this technique for SMS phishing, users should be wary of the source of any suspicious incoming text messages until Google solves this problem in Android, Ballano said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts