Android already has been the target of a lot of malware applications since its birth and researchers at NC State University, USA have discovered another vulnerability related to smishing that allows attackers to make the phone display arbitrary text messages appearing to come from the user’s contacts. This vulnerability can be exploited by an app that is installed and running on the user’s phone. A major issue is the fact that it does not require the user to provide any extra permissions to the malware application. This can easily be taken advantage of by any harmful application which can force the phone to display an incoming message even though it was not actually sent by the real sender.
Researchers have reported the vulnerability to Google, adding that it affects multiple versions of the platform ranging from Gingerbread, Ice Cream Sandwich and Jellybean. Google has responded by saying it will be fixing the issue in a “future Android release” and that no exploitation has actually taken place as per their knowledge. The researchers refused to provide proof and provide details regarding the exact leak until it is patched by Google. They have, however, released the following video of a demo application that can fake the reception of a random text message from an arbitrary number:
The only solution that developers have suggested as of now is to take caution in downloading apps from unknown sources and to avoid revealing personal information in response to suspicious messages. Hopefully, this will be plugged in the upcoming Android 4.2 release, though it is of concern how it will be patched to phones that are not able to upgrade to the latest version of Android.
