The text message can come out of nowhere.
At first glance, it may even seem legitimate. Maybe your bank needs you to update your account information, so click this link. Or your cellphone provider asks you to change your password for security reasons by visiting some Web address.
But behind those links are sites run by opportunists looking to capture and profit off any sensitive information you provide.
If the technique sounds familiar, that’s because it’s essentially the smartphone equivalent to email phishing. SMS phishing, or “smishing,” may not be new to the malware scene, but computer scientists at North Carolina State University discovered a vulnerability this month that puts Android users in particular risk.
The research team, led by Xuxian Jiang, found that a number of Android phones allowed downloaded applications to send fraudulent text messages back to their own devices. The app doesn’t notify the user or even need to ask for permission to access text messaging capabilities, which apps are normally required to do.
The exploit would allow an attacker to develop a fake application (or alter an existing one), get Android users to download it to their phones, and trigger smishing attacks to trick users into sharing private information.
Despite a handful of Android versions floating around, Jiang’s team found that the vulnerability is widespread, ranging from versions 2.2 (nicknamed Froyo) to 4.1 (Jelly Bean). That accounts for more than 90 percent of Android users as of Nov. 1, according to Google’s Developer Dashboard.
“Any app can fake a text message,” Jiang said. “Almost all Android-based smartphones are vulnerable.”
But the good news is twofold.
First off, Jiang says risk is easy to manage when it comes to smishing, especially if users avoid downloading applications from suspicious publishers. Android’s settings, by default, don’t allow the installation of apps from unknown sources (applications outside of the Google Play marketplace). Even if you don’t opt-in there, make sure you know what you’re downloading.
Jiang said users also need to be wary about text messages, especially from unrecognized numbers that ask you to visit a website.
Here’s the second bit of good news: Jiang said Google is already aware of the problem and working on a fix. After his team discovered it and contacted the company about it, representatives responded in 10 minutes. Two days later, Google developers had confirmed the vulnerability and pledged to patch it in future releases.
“Google has been very responsive. That’s a very good sign,” Jiang said. “Other vendors have taken weeks or months to get back to me.”
In a release about the vulnerability, Jiang also noted that his team wasn’t aware of anyone actively taking advantage of the problem. And he said he won’t release any details about how the exploit works until it’s fixed.
But don’t expect this to be the last vulnerability you hear about from the NCSU team (Jiang discovered another exploit I covered back in April). That’s because the associate professor of computer science heads up the Android Malware Genome Project, which aims to identify as many threats to the platform as possible.
The hope, Jiang said, is to use that knowledge not only to create more effective solutions to malware, but to predict threats before they even become a problem. “After we are familiar with threats in the wild, we’ll know better how to deal with them,” Jiang said.