Google working on a fix for Android SMS-phishing vulnerability

November 2, 2012
6

Today we're getting a bit of alarming news, with researchers at NC State University discovering a SMS-phishing flaw in multiple Android platforms. The flaw allows malicious apps to create and "send" fake SMS messages to the user, potentially getting them to hand over personal information. The good news is that Google got to work on a patch for the vulnerability shortly after it became aware of the issue, so at least the big G is acting fast in this case.

NCSU researcher Xuxian Jiang writes that there are major causes for concern with this vulnerability: the first is that the app doesn't need to ask for permission before performing the exploit, and the second is that it's been found to affect a number of Android platforms due the fact that the vulnerability is in the Android Open Source Project. Though the researchers have only confirmed its existence on a handful of phones - including the Galaxy S III, Nexus S, and Galaxy Nexus - the vulnerability is present in Gingerbread, Ice Cream Sandwich, and Jelly Bean.

That means the problem could potentially cause headaches for a lot of different users, but thankfully, NCSU says that they "are not aware of any active exploitation of this issue." NCSU isn't going to show how to take advantage of this vulnerability, thus proving it exists, until Google has delivered a fix. Instead, the researchers merely wanted to warn people of this vulnerability so no one falls victim to this SMS-phishing schemes.

What's particularly nerve-wracking about this vulnerability is that it can make these bogus text messages appear to be from people in your phone book or banks. It goes without saying that you should be suspicious of text messages asking you to hand over personal information. Keep it tuned here to Android Community, as we'll update you once we hear more on the situation.

[via NCSU; via The Abstract]


Recent Stories
  • Raj

    How does the fix for gingerbread delivered since there is no upgrade path for my phone which samsung I (captivate)

    • http://www.facebook.com/profile.php?id=1312291338 Tim Miller

      You… probably simply won’t get the fix. This is the problem with non-Nexus devices.

      • Raj

        Does this mean even if I have galaxy s3, I won’t get the fix till such time samsung qualifies then AT&T adds its bloatware and release it which is typically 6 months to a year ?

      • http://www.facebook.com/profile.php?id=1312291338 Tim Miller

        Pretty much! I’ve never been happier with my phone service since getting an unlocked Galaxy Nexus and going prepaid. Contracts are evil.

  • Androided

    That’s great. By the time the carriers incorporate the patches and send the updates to the phones, another year will have passed. At least I’ll probably only have to wait six months since I have a Verizon Galaxy Nexus.
    This is the one area that I wish Google could do like Apple and actually be able to push updates to phones.

  • notRaj

    Raj your phone has been out for several years now, buy a new phone or visit XDA Developers to get upgrades yourself. Companies can’t be held liable for supporting devices that are EOL’ed.