North Carolina State University researchers have revealed a vulnerability in Android that allows SMS messages to be sent from one app to another without going over the air, something they say could be used for SMS phishing attacks. The Xuxian Jiang-led team is the same group that gave the world the Android click-jacking …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Thursday 8th November 2012 02:06 GMT Anonymous Coward

Is this

Yet another vulnerability on my android phone.

1 2
1. Thursday 8th November 2012 07:32 GMT Craigness
  
  Re: Is this
  
  It certainly is. By the way, your credit card company asked me to tell you to call them, There's been some misuse of your card and it's being blocked. Their number is 089812345678.
  
  3 0
Thursday 8th November 2012 02:17 GMT Jolyon Smith

ads on TV which are formatted and presented as mini TV programs.

Sure, they are broadcast in commercial breaks, but the principle is the same - "spoofing". Half-way intelligent people can tell the difference in either case and there is no financial cost to the user that I can see if the SMS is not a genuine SMS - it's not as if they had to pay to receive the non-SMS message. If advertisers want to spend their money by buying advertising thinking that they can fool people this way, I say let them.

>beep< >beep<

Nothing to see here, move along.

3 1
Thursday 8th November 2012 07:33 GMT Craigness

Does this open the actual SMS app or does it create a new window which looks like an SMS app?

0 0
1. Thursday 8th November 2012 08:19 GMT Charles 9
  
  It will look to you and the system like an actual SMS message has come in. For my phone, I get a notification in my status bar and a popup. What happens varies depending on your phone's configuration, but it will for all intents and purposes act just like an SMS message. I learned this myself when I installed an app that had an adware kit. I ran a detector, found the offending app, and removed it.
  
  0 0
  1. Thursday 8th November 2012 08:28 GMT Markl2011
    
    From the Symantec article
    
    "To send a spoofed SMS message there is no need to send a text message over the air. In fact, a message is never sent or received, instead, the system service in charge of receiving text messages is tricked into thinking a message has arrived—and it will happily store the text message and notify the user of the event. One can specify any arbitrary "from address" for the SMSishing attack and no special permissions are required to insert a spoofed message."
    
    Based on the number of actual SMS messages that I receive with SMSishing attacks in though, it's nothing new.
    
    That reminds me I must find out what's happening about my PPI claim. Funny thing is I don't remember taking it out...
    
    0 0
Thursday 8th November 2012 16:54 GMT toadwarrior

Another android security issue, I'm truly shocked.

Sent from my secure iphone

0 2
1. Thursday 8th November 2012 17:54 GMT DryBones
  
  What, you mean the same one that's pwned first every Pwn2Own?
  
  Nice troll, but we know this sort of story about Android always leaves out or willfully ignores the start of the process, which goes something like "well if you install this app from a dodgy third-party app store (after having agreed you knew you were at your own risk by enabling sideloading and seeing the warning)..."
  
  0 1
  1. Thursday 8th November 2012 18:06 GMT toadwarrior
    
    First owned because it's the one everyone goes after since it's the most cherished prize of them all. So really the only bragging rights you could have is if your phone wasn't owned at all. Can you say that?
    
    0 0
    1. Thursday 8th November 2012 18:30 GMT DryBones
      
      Nope! But neither can anyone else, which was my original point. IOS has the user base and monetary motivation to make hackers look for exploits. You just haven't heard about them.
      
      0 0