Pinterest Stumbleupon Whatsapp

A new phishing technique utilizing SMS messages has just been in discovered in the Android Open Source Project. The vulnerability affects every version of Android going as far back as Donut (1.6), and all the way up to the former iteration of Jellybean (4.1) through Éclair (2.1), Froyo (2.2), Gingerbread (2.3) and Ice Cream Sandwich (4.0).

SMS phishing, also known as SMiShing, is a social engineering technique whereby a fake SMS sends you to a malicious website, or prompts you to download a malicious app onto your phone. The new vulnerability was discovered in the department of computer science in North Carolina State University, where a team of researchers were able to create an app that sends fake text messages. These can easily be made to look as if they were received by someone on your contact list.

Google has been notified of the issue, and according to the research team “The vulnerability is now confirmed and we [were] told that a change will be included in a future Android release. We are not aware of any active exploitation of this issue.” As mentioned above, the problem is confirmed to affect almost every version of Android, and exists on popular devices such as the Samsung Galaxy S3, the HTC One X, the Galaxy Nexus the Nexus S and others.

According to Google, the exploit will be fixed with the next version of Android, but what can you do until then? As usual, don’t click on suspicious links or download apps from unknown sources, and be especially aware of the fact that text messages can appear to come from known sources but still be malicious. Does a text message include a link you’re not sure about? Don’t click it, even if your mother, your wife or the your bank sent it.

Did you ever fall victim to a SMiShing attack?


Source: The Next Web

  1. Mary Lee. Valenti
    November 8, 2012 at 1:07 pm

    What I want to know is how to get rid of SMS spam. I rarely give my cell phone number out, but as soon as I got my Samsung SIII, I started getting it.

    • Tina
      November 16, 2012 at 9:13 pm


      in case you are still looking for an answer, I recommend asking your question on MakeUseOf Answers. Good luck!

  2. Márcio Guerra
    November 8, 2012 at 3:33 am

    Nice to know, although I don't usually open links through sms services...


    Márcio Guerra

  3. SmarterThanYou
    November 7, 2012 at 9:27 pm

    I solved the problem. I use iOS 6.1
    HA! Now quit trolling websites bashing iphones in favor of androids. As if google (or apple) care two cents about your fanaticism.

  4. Patrick Jackson
    November 6, 2012 at 10:07 am

    Yes, the only thing that this explains that the people that use smartphones, should be 'smart' enough themselves ( ! :) ), as it is us who operate it, and AI is not present in phones yet!

  5. Daniel Escasa
    November 6, 2012 at 5:09 am

    One thing phishers can't imitate is the texting "style" of those on your contact list. E.g., one of my friends just hates sending text messages -- he would much rather call -- and anything longer than two words is suspect. Heck, anything longer than three characters is suspect. Another one is as fastidious about her spelling as I am, a third is completely careless, a fourth invents his own words and abbreviations. I think that about covers the texting styles of my friends. Point is, if I receive a text message that's out of character, I don't click on any links they may send. And even if I do, I'm not about to enter any sensitive information on the page I land on.

    • Yaara Lancet
      November 7, 2012 at 6:18 am

      That's a very good point. I use this myself, and it's saved me from clicking malicious links when my friend managed to get her MSN account hacked. No matter how "real" they tried to make it look, it was really obvious it wasn't her writing!

  6. Anthony Monori
    November 5, 2012 at 11:20 pm

    So if I'm on 4.2 I'm safe?! God I love CM 10 on my SGS original.

    • Boni Oloff
      November 6, 2012 at 8:14 am

      Yeah, i also like Cyano Mod. I use it when i still use my Android.

    • Yaara Lancet
      November 7, 2012 at 6:18 am

      4.2 just wasn't tested, I believe. I think it probably has the same problem, though.

  7. Alex Perkins
    November 5, 2012 at 5:17 pm

    Luckily I haven't fallen to any of this, I never got one.

  8. Nikhil Chandak
    November 5, 2012 at 1:32 pm

    Thanks for telling
    something new for me !!

  9. Boni Oloff
    November 5, 2012 at 12:57 pm

    Wow, a little scary. The system itself is not secure. I am saying i don't like Android. I think iOS is a lot better, and a lot faster and stable i think. After using android and IOS, i can say this.

  10. Adam Campbell
    November 5, 2012 at 12:55 pm

    here's my surprised face... oh wait, i'm not

  11. Raghav Gupta
    November 5, 2012 at 4:07 am

    Thanks for sharing. I may have been caught in this too

  12. Igor Rizvi?
    November 5, 2012 at 12:08 am

    Until next version of android...oh gosh :S

  13. James Marshall
    November 4, 2012 at 10:01 pm

    Not long ago, I read about an app called LinkBuster ( that lets you check where links go before you visit them. From what I've seen, when you click a link, a box pops up asking you what you want to open it with -- you can pick LinkBuster instead off your web browser to get info on the link via Web Of Trust. It seems to work fine with shortened links and full links. This could be a helpful tool for people to install and use if they come across suspicious links.

    • Yaara Lancet
      November 5, 2012 at 6:35 am

      Sounds like a really useful tool! Thank you for recommending it, I will definitely check it out.

  14. Félix S. De Jesús
    November 4, 2012 at 9:57 pm

    One question is if that includes Android Tablets...

    • Yaara Lancet
      November 5, 2012 at 6:34 am

      The researchers didn't mention Honeycomb at all, so I don't know about older tablets, but if your tablet can receive text messages, I would be careful about those just the same.

  15. Bumferry Hogart
    November 4, 2012 at 9:44 pm

    I have received texts from people in my contacts list with random links before. I have never opened them, not because i think they might be malicious but generally because the people sending them are the sort to send stupid "funny" jokes and the like.
    I would never EVER open a link unless I knew where it came from or what context it was sent over.
    The problem comes with things like links.
    I use these on twitter sometimes but am always wary as its hard to tell where in the world wide web it will send you if you click it.

  16. Gregori Gualdron
    November 4, 2012 at 8:24 pm

    I was wondering if JellyBean+ are safe?

    • James Marshall
      November 4, 2012 at 9:56 pm

      The write-up here says, "The vulnerability affects every version of Android going ... all the way up to the former iteration of Jellybean (4.1)". This suggests that Jelly Bean 4.1 is vulnerable, while Jelly Bean 4.2 is not, but perhaps someone with more details can clarify and let us know for sure.

      • Yaara Lancet
        November 5, 2012 at 6:30 am

        As I mentioned in my comment to Gregori, I'm actually assuming 4.2 is not safe, I just think they haven't verified it yet and that's why it's no mentioned in their report.

    • Yaara Lancet
      November 5, 2012 at 6:29 am

      As far as I could understand it, the researchers found this for sure on Jellybean 4.1, but they did not mention 4.2.

      My guess is that they just did not test it thoroughly on 4.2, not that 4.2 is safe. If it were, Google would just come out and say "hey, no problem, it's already fixed in 4.2". Since Google said the fix will come in the next version, I'm assuming it exists in 4.2 as well.

      • Patrick Jackson
        November 6, 2012 at 10:10 am

        Well, Android 4.2 is not yet available for developers. So until, then all we can do is wait. Nevertheless, now people should know this before buying a Jelly Bean 4.2 device or rooting their phones to Jelly Bean 4.2 in future! :)

      • Patrick Jackson
        November 6, 2012 at 10:12 am

        At last, moral of the story, S40 still rocks (even though it cannot), as there is a 'sense' of security, as nothing can be done with it! :)

        What say!

  17. Anonymous
    November 4, 2012 at 6:24 pm

    Good to know, thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *