A new phishing technique utilizing SMS messages has just been in discovered in the Android Open Source Project. The vulnerability affects every version of Android going as far back as Donut (1.6), and all the way up to the former iteration of Jellybean (4.1) through Éclair (2.1), Froyo (2.2), Gingerbread (2.3) and Ice Cream Sandwich (4.0).
SMS phishing, also known as SMiShing, is a social engineering technique whereby a fake SMS sends you to a malicious website, or prompts you to download a malicious app onto your phone. The new vulnerability was discovered in the department of computer science in North Carolina State University, where a team of researchers were able to create an app that sends fake text messages. These can easily be made to look as if they were received by someone on your contact list.
Google has been notified of the issue, and according to the research team “The vulnerability is now confirmed and we [were] told that a change will be included in a future Android release. We are not aware of any active exploitation of this issue.” As mentioned above, the problem is confirmed to affect almost every version of Android, and exists on popular devices such as the Samsung Galaxy S3, the HTC One X, the Galaxy Nexus the Nexus S and others.
According to Google, the exploit will be fixed with the next version of Android, but what can you do until then? As usual, don’t click on suspicious links or download apps from unknown sources, and be especially aware of the fact that text messages can appear to come from known sources but still be malicious. Does a text message include a link you’re not sure about? Don’t click it, even if your mother, your wife or the your bank sent it.
Did you ever fall victim to a SMiShing attack?
Source: The Next Web