Hundreds of Google Play apps create spoofed messages in users' SMS inboxes, Symantec says

The technique could be used for SMS phishing attacks

About 200 Android applications currently hosted on Google Play create spoofed SMS messages on the devices they are installed on, according to security researchers from antivirus vendor Symantec.

This technique can theoretically be used for SMS phishing, a type of attack where users are asked for sensitive information or to subscribe to paid services through rogue SMS messages that appear to originate from a trusted source.

However, the applications detected so far use the technique for other purposes, like displaying advertisements, Mario Ballano, a security researcher at Symantec, said Monday in a blog post.

Last Friday, security researchers from North Carolina State University announced the discovery of a so-called "smishing" (SMS phishing) vulnerability in the Android Open Source Project (AOSP) -- the code that serves as the basis for most Android firmware created by phone manufacturers.

The vulnerability allows a running app without any special permissions to directly write text messages with spoofed sender addresses (telephone numbers) and arbitrary content in the user's SMS inbox.

"We believe such a vulnerability can be readily exploited to launch various phishing attacks," Xuxian Jiang, an associate professor in the Department of Computer Science at NC State University, said at the time. The Google Android Security Team was notified and confirmed that a change will be made in a future Android release to stop this behavior, he said.

However, the code to generate such spoofed SMS messages locally has been publicly documented and used since August 2010, Ballano said.

"We have recorded more than 250 applications that contain code using this technique including 200 that are currently available on Google Play with millions of combined downloads," the researcher said. "Some of the applications use the code to better integrate text messaging with instant messaging or other online services. The vast majority are using an ad-network software development kit (SDK), which pushes ads straight into your SMS inbox."

Even though Symantec has not yet detected an app that used this technique for SMS phishing, users should be wary of the source of any suspicious incoming text messages until Google solves this problem in Android, Ballano said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags symantecsecuritymobile securityscamsmalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?