Smishing Vulnerability in Multiple Android Platforms (including Gingerbread, Ice Cream Sandwich, and Jelly Bean)

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
While continuing our efforts on various smartphone-related research projects, we came across a smishing (SMS-Phishing) vulnerability in popular Android platforms. This vulnerability allows a running app on an Android phone to fake arbitrary SMS text messages, which will then be received by phone users. We believe such a vulnerability can be readily exploited to launch various phishing attacks (e.g., [1], [2], and [3]).

One serious aspect of the vulnerability is that it does not require the (exploiting) app to request any permission to launch the attack. (In other words, this can be characterized as a WRITE_SMS capability leak.) Another serious aspect is that the vulnerability appears to be present in multiple Android platforms -- in fact, because the vulnerability is contained in the Android Open Source Project (or AOSP), we suspect it exists in all recent Android platforms, though we have so far only confirmed its presence in a number of phones, including Google Galaxy Nexus, Google Nexus S, Samsung Galaxy SIII, HTC One X, HTC Inspire, and Xiaomi MI-One. The affected platforms that have been confirmed range from Froyo (2.2.x), Gingerbread (2.3.x), Ice Cream Sandwich (4.0.x), and Jelly Bean (4.1).

We notified the Google Android Security Team on 10/30/2012 and were -- as always -- impressed to receive their response within 10 minutes. The confirmation of the vulnerability presence arrived on 11/1/2012 -- two days after our initial report. From their response, we can infer that they took this issue seriously and investigated it without delay.

The vulnerability is now confirmed and we was told that a change will be included in a future Android release. We are not aware of any active exploitation of this issue.

For responsible disclosure, we will not publish the details of the vulnerability until an ultimate fix is out. However, we would like to inform the public about the potential risk, which is the reason why we have created this webpage.

Before the ultimate fix is out, this threat can be mitigated in several ways. For example, users are encouraged to be cautious when downloading and installing apps (particularly from unknown sources). As always, it is important to pay close attention to received SMS text messages, in order to avoid being duped by possible phishing attacks.

Finally, we'd like to thank the Android Security Team for verifying the presence of this vulnerability and keeping us informed as this fix progresses.

Updates:

Related links:

Last modified: November 28th, 2012