While no exploits are active in the wild, one could be built that could be at the center of various SMS phishing, or smishing, attacks, said Xuxian Jiang, associate professor in the North Carolina State University computer science department.
Jiang, who has reported a number of Android security issues in the past to Google, told Threatpost he has confirmed the vulnerability on a number of platforms dating back to Android version 1.6, known as Donut, all the way up to Gingerbread (2.3), Ice Cream Sandwich (4.0) and Jelly Bean (4.1). The Android Open Source Project (AOSP) is the firmware upon which a number of Android devices are built. Jiang has tested and confirmed AOSP vulnerability on a number of phones as well, including the Samsung Galaxy S III, Google Galaxy Nexus and Nexus S and others.
Jiang developed a demonstration application which exploits the vulnerability. The demo app was installed on a Galaxy S III, as well as the original Android developer phone, neither of which carried a SIM card, meaning neither phone could not receive voice or SMS messages–also, during installation, the application did not request any permissions. Yet once the application runs, the user receives a text message from the app asking for personal information.
“It can fake all kinds of sources and create arbitrary incoming numbers,” Jiang said. “Which means: text messages asking for user names, passwords and other information. The vulnerability does not leak information, but it can be used to allow phishing attacks.”
The vulnerability, Jiang said, does not require the malicious application to request permission from the user. Jiang calls it a WRITE_SMS capability leak, which essentially means an application gains access to a permission such as writing or sending text messages without requesting it.
Jiang would not disclose any details on the vulnerability, which he shared with Google last Tuesday. Google replied within minutes and promised a fix shortly.
“Given the vulnerability is going to be known, you could see some phishing attacks launch. The exploits are very reliable,” Jiang said. “We used the same demo app against different phones from different vendors and they all worked. The bug is part of the open source project, so the base is vulnerable and used by a lot of vendors.”