Android Smishing Vulnerability Found in Android Open Source Project Firmware

A vulnerability discovered in the Android Open Source Project enables malicious applications to send SMS messages without user permission across all recent Android platforms.While no exploits are active in the wild, one could be built that could be at the center of various SMS phishing, or smishing, attacks, said Xuxian Jiang, associate professor in the North Carolina State University computer science department.

Android Open Source ProjectA vulnerability discovered in the Android Open Source Project enables malicious applications to send SMS messages without user permission across all recent Android platforms.

While no exploits are active in the wild, one could be built that could be at the center of various SMS phishing, or smishing, attacks, said Xuxian Jiang, associate professor in the North Carolina State University computer science department.

Jiang, who has reported a number of Android security issues in the past to Google, told Threatpost he has confirmed the vulnerability on a number of platforms dating back to Android version 1.6, known as Donut, all the way up to Gingerbread (2.3), Ice Cream Sandwich (4.0) and Jelly Bean (4.1). The Android Open Source Project (AOSP) is the firmware upon which a number of Android devices are built. Jiang has tested and confirmed AOSP vulnerability on a number of phones as well, including the Samsung Galaxy S III, Google Galaxy Nexus and Nexus S and others.

Jiang developed a demonstration application which exploits the vulnerability. The demo app was installed on a Galaxy S III, as well as the original Android developer phone, neither of which carried a SIM card, meaning neither phone could not receive voice or SMS messages–also, during installation, the application did not request any permissions. Yet once the application runs, the user receives a text message from the app asking for personal information.

“It can fake all kinds of sources and create arbitrary incoming numbers,” Jiang said. “Which means: text messages asking for user names, passwords and other information. The vulnerability does not leak information, but it can be used to allow phishing attacks.”

The vulnerability, Jiang said, does not require the malicious application to request permission from the user. Jiang calls it a WRITE_SMS capability leak, which essentially means an application gains access to a permission such as writing or sending text messages without requesting it.

Jiang would not disclose any details on the vulnerability, which he shared with Google last Tuesday. Google replied within minutes and promised a fix shortly.

“Given the vulnerability is going to be known, you could see some phishing attacks launch. The exploits are very reliable,” Jiang said. “We used the same demo app against different phones from different vendors and they all worked. The bug is part of the open source project, so the base is vulnerable and used by a lot of vendors.”

Suggested articles

Pentagon Decision Moves Android Security Forward

The Pentagon’s decision to endorse a hardened version of Android for use inside the DoD is a smart move forward, experts said. A wholesale blessing of the Android platform isn’t possible given the various flavors of the OS. Meanwhile, attackers continue to probe deeper at kernel and OS flaws.

Sandia Lab’s MegaDroid Project Builds Out Massive Android Test Platform

It might sound like a security researcher’s worst nightmare to string together 300,000 virtual instances of the Android OS, but for scientists at Sandia National Laboratories, it’s just another day.The Department of Energy-sponsored national security-focused laboratory released the MegaDroid project on Tuesday, a cluster of 300,000 networked virtual machines running Android on commodity hardware. The project gives scientist a massively scaled platform to test anything that could cause a network disruption, including malware or an attack on critical infrastructure.

Discussion

  • Anonymous on

    Many thanks to Asst. Professor Jiang. He's one of the good guys.

    CR

  • Anonymous on

    You dont need an application to test this exploit.

    Use a sms spoofer and you have SAME progress. Contact me if you need one, it is public and on internet.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.