New Phishing Vulnerability Discovered In All Versions Of Android [Updates]

Ads by Google

sms phishing   New Phishing Vulnerability Discovered In All Versions Of Android [Updates]A new phishing technique utilizing SMS messages has just been in discovered in the Android Open Source Project. The vulnerability affects every version of Android going as far back as Donut (1.6), and all the way up to the former iteration of Jellybean (4.1) through Éclair (2.1), Froyo (2.2), Gingerbread (2.3) and Ice Cream Sandwich (4.0).

SMS phishing, also known as SMiShing, is a social engineering technique whereby a fake SMS sends you to a malicious website, or prompts you to download a malicious app onto your phone. The new vulnerability was discovered in the department of computer science in North Carolina State University, where a team of researchers were able to create an app that sends fake text messages. These can easily be made to look as if they were received by someone on your contact list.

Google has been notified of the issue, and according to the research team “The vulnerability is now confirmed and we [were] told that a change will be included in a future Android release. We are not aware of any active exploitation of this issue.” As mentioned above, the problem is confirmed to affect almost every version of Android, and exists on popular devices such as the Samsung Galaxy S3, the HTC One X, the Galaxy Nexus the Nexus S and others.

Ads by Google

According to Google, the exploit will be fixed with the next version of Android, but what can you do until then? As usual, don’t click on suspicious links or download apps from unknown sources, and be especially aware of the fact that text messages can appear to come from known sources but still be malicious. Does a text message include a link you’re not sure about? Don’t click it, even if your mother, your wife or the your bank sent it.

Did you ever fall victim to a SMiShing attack?

Source: The Next Web

29 Comments - Write a Comment

Reply

Anonymous

Good to know, thanks.

Reply

Gregori Gualdron

I was wondering if JellyBean+ are safe?

James Marshall

The write-up here says, “The vulnerability affects every version of Android going … all the way up to the former iteration of Jellybean (4.1)”. This suggests that Jelly Bean 4.1 is vulnerable, while Jelly Bean 4.2 is not, but perhaps someone with more details can clarify and let us know for sure.

Yaara Lancet

As I mentioned in my comment to Gregori, I’m actually assuming 4.2 is not safe, I just think they haven’t verified it yet and that’s why it’s no mentioned in their report.

Yaara Lancet

As far as I could understand it, the researchers found this for sure on Jellybean 4.1, but they did not mention 4.2.

My guess is that they just did not test it thoroughly on 4.2, not that 4.2 is safe. If it were, Google would just come out and say “hey, no problem, it’s already fixed in 4.2″. Since Google said the fix will come in the next version, I’m assuming it exists in 4.2 as well.

Patrick Jackson

Well, Android 4.2 is not yet available for developers. So until, then all we can do is wait. Nevertheless, now people should know this before buying a Jelly Bean 4.2 device or rooting their phones to Jelly Bean 4.2 in future! :)

Patrick Jackson

At last, moral of the story, S40 still rocks (even though it cannot), as there is a ‘sense’ of security, as nothing can be done with it! :)

What say!

Reply

Bumferry Hogart

I have received texts from people in my contacts list with random links before. I have never opened them, not because i think they might be malicious but generally because the people sending them are the sort to send stupid “funny” jokes and the like.
I would never EVER open a link unless I knew where it came from or what context it was sent over.
The problem comes with things like bit.ly links.
I use these on twitter sometimes but am always wary as its hard to tell where in the world wide web it will send you if you click it.

Reply

FĂ©lix S. De JesĂşs

One question is if that includes Android Tablets…

Yaara Lancet

The researchers didn’t mention Honeycomb at all, so I don’t know about older tablets, but if your tablet can receive text messages, I would be careful about those just the same.

Reply

James Marshall

Not long ago, I read about an app called LinkBuster (https://play.google.com/store/apps/details?id=com.jp.linkbuster) that lets you check where links go before you visit them. From what I’ve seen, when you click a link, a box pops up asking you what you want to open it with — you can pick LinkBuster instead off your web browser to get info on the link via Web Of Trust. It seems to work fine with shortened links and full links. This could be a helpful tool for people to install and use if they come across suspicious links.

Yaara Lancet

Sounds like a really useful tool! Thank you for recommending it, I will definitely check it out.

Reply

Igor Rizvi?

Until next version of android…oh gosh :S

Reply

Raghav Gupta

Thanks for sharing. I may have been caught in this too

Reply

Adam Campbell

here’s my surprised face… oh wait, i’m not

Reply

Boni Oloff

Wow, a little scary. The system itself is not secure. I am saying i don’t like Android. I think iOS is a lot better, and a lot faster and stable i think. After using android and IOS, i can say this.

Reply

Nikhil Chandak

Thanks for telling
something new for me !!

Reply

Alex Perkins

Luckily I haven’t fallen to any of this, I never got one.

Reply

Anthony Monori

So if I’m on 4.2 I’m safe?! God I love CM 10 on my SGS original.

Boni Oloff

Yeah, i also like Cyano Mod. I use it when i still use my Android.

Yaara Lancet

4.2 just wasn’t tested, I believe. I think it probably has the same problem, though.

Reply

Daniel Escasa

One thing phishers can’t imitate is the texting “style” of those on your contact list. E.g., one of my friends just hates sending text messages — he would much rather call — and anything longer than two words is suspect. Heck, anything longer than three characters is suspect. Another one is as fastidious about her spelling as I am, a third is completely careless, a fourth invents his own words and abbreviations. I think that about covers the texting styles of my friends. Point is, if I receive a text message that’s out of character, I don’t click on any links they may send. And even if I do, I’m not about to enter any sensitive information on the page I land on.

Yaara Lancet

That’s a very good point. I use this myself, and it’s saved me from clicking malicious links when my friend managed to get her MSN account hacked. No matter how “real” they tried to make it look, it was really obvious it wasn’t her writing!

Reply

Patrick Jackson

Yes, the only thing that this explains that the people that use smartphones, should be ‘smart’ enough themselves ( ! :) ), as it is us who operate it, and AI is not present in phones yet!

Reply

SmarterThanYou

I solved the problem. I use iOS 6.1
HA! Now quit trolling websites bashing iphones in favor of androids. As if google (or apple) care two cents about your fanaticism.

Reply

Márcio Guerra

Nice to know, although I don’t usually open links through sms services…

Cheers

Márcio Guerra

Reply

Mary Lee. Valenti

What I want to know is how to get rid of SMS spam. I rarely give my cell phone number out, but as soon as I got my Samsung SIII, I started getting it.

Tina

Mary,

in case you are still looking for an answer, I recommend asking your question on MakeUseOf Answers. Good luck!

Your comment