A new phishing technique utilizing SMS messages has just been in discovered in the Android Open Source Project. The vulnerability affects every version of Android going as far back as Donut (1.6), and all the way up to the former iteration of Jellybean (4.1) through Éclair (2.1), Froyo (2.2), Gingerbread (2.3) and Ice Cream Sandwich (4.0).
SMS phishing, also known as SMiShing, is a social engineering technique whereby a fake SMS sends you to a malicious website, or prompts you to download a malicious app onto your phone. The new vulnerability was discovered in the department of computer science in North Carolina State University, where a team of researchers were able to create an app that sends fake text messages. These can easily be made to look as if they were received by someone on your contact list.
Google has been notified of the issue, and according to the research team “The vulnerability is now confirmed and we [were] told that a change will be included in a future Android release. We are not aware of any active exploitation of this issue.” As mentioned above, the problem is confirmed to affect almost every version of Android, and exists on popular devices such as the Samsung Galaxy S3, the HTC One X, the Galaxy Nexus the Nexus S and others.
According to Google, the exploit will be fixed with the next version of Android, but what can you do until then? As usual, don’t click on suspicious links or download apps from unknown sources, and be especially aware of the fact that text messages can appear to come from known sources but still be malicious. Does a text message include a link you’re not sure about? Don’t click it, even if your mother, your wife or the your bank sent it.
Did you ever fall victim to a SMiShing attack?
Source: The Next Web
More articles about:
Hide 29 Comments
Good to know, thanks.
I was wondering if JellyBean+ are safe?
The write-up here says, “The vulnerability affects every version of Android going … all the way up to the former iteration of Jellybean (4.1)”. This suggests that Jelly Bean 4.1 is vulnerable, while Jelly Bean 4.2 is not, but perhaps someone with more details can clarify and let us know for sure.
As I mentioned in my comment to Gregori, I’m actually assuming 4.2 is not safe, I just think they haven’t verified it yet and that’s why it’s no mentioned in their report.
As far as I could understand it, the researchers found this for sure on Jellybean 4.1, but they did not mention 4.2.
My guess is that they just did not test it thoroughly on 4.2, not that 4.2 is safe. If it were, Google would just come out and say “hey, no problem, it’s already fixed in 4.2″. Since Google said the fix will come in the next version, I’m assuming it exists in 4.2 as well.
Well, Android 4.2 is not yet available for developers. So until, then all we can do is wait. Nevertheless, now people should know this before buying a Jelly Bean 4.2 device or rooting their phones to Jelly Bean 4.2 in future! :)
At last, moral of the story, S40 still rocks (even though it cannot), as there is a ‘sense’ of security, as nothing can be done with it! :)
What say!
I have received texts from people in my contacts list with random links before. I have never opened them, not because i think they might be malicious but generally because the people sending them are the sort to send stupid “funny” jokes and the like.
I would never EVER open a link unless I knew where it came from or what context it was sent over.
The problem comes with things like bit.ly links.
I use these on twitter sometimes but am always wary as its hard to tell where in the world wide web it will send you if you click it.
There’s solutions for shortened links as well. Some Twitter clients automatically show you the full version of the link when you hover over it. If yours doesn’t do it, there are several services that can do it for you. You can find some options here:
http://www.makeuseof.com/tag/5-browser-extensions-expand-shortened-urls/
One question is if that includes Android Tablets…
The researchers didn’t mention Honeycomb at all, so I don’t know about older tablets, but if your tablet can receive text messages, I would be careful about those just the same.
Not long ago, I read about an app called LinkBuster (https://play.google.com/store/apps/details?id=com.jp.linkbuster) that lets you check where links go before you visit them. From what I’ve seen, when you click a link, a box pops up asking you what you want to open it with — you can pick LinkBuster instead off your web browser to get info on the link via Web Of Trust. It seems to work fine with shortened links and full links. This could be a helpful tool for people to install and use if they come across suspicious links.
Sounds like a really useful tool! Thank you for recommending it, I will definitely check it out.
Until next version of android…oh gosh :S
Thanks for sharing. I may have been caught in this too
here’s my surprised face… oh wait, i’m not
Wow, a little scary. The system itself is not secure. I am saying i don’t like Android. I think iOS is a lot better, and a lot faster and stable i think. After using android and IOS, i can say this.
Thanks for telling
something new for me !!
Luckily I haven’t fallen to any of this, I never got one.
So if I’m on 4.2 I’m safe?! God I love CM 10 on my SGS original.
Yeah, i also like Cyano Mod. I use it when i still use my Android.
4.2 just wasn’t tested, I believe. I think it probably has the same problem, though.
One thing phishers can’t imitate is the texting “style” of those on your contact list. E.g., one of my friends just hates sending text messages — he would much rather call — and anything longer than two words is suspect. Heck, anything longer than three characters is suspect. Another one is as fastidious about her spelling as I am, a third is completely careless, a fourth invents his own words and abbreviations. I think that about covers the texting styles of my friends. Point is, if I receive a text message that’s out of character, I don’t click on any links they may send. And even if I do, I’m not about to enter any sensitive information on the page I land on.
That’s a very good point. I use this myself, and it’s saved me from clicking malicious links when my friend managed to get her MSN account hacked. No matter how “real” they tried to make it look, it was really obvious it wasn’t her writing!
Yes, the only thing that this explains that the people that use smartphones, should be ‘smart’ enough themselves ( ! :) ), as it is us who operate it, and AI is not present in phones yet!
I solved the problem. I use iOS 6.1
HA! Now quit trolling websites bashing iphones in favor of androids. As if google (or apple) care two cents about your fanaticism.
Nice to know, although I don’t usually open links through sms services…
Cheers
Márcio Guerra
What I want to know is how to get rid of SMS spam. I rarely give my cell phone number out, but as soon as I got my Samsung SIII, I started getting it.
Mary,
in case you are still looking for an answer, I recommend asking your question on MakeUseOf Answers. Good luck!