The text message can come out of nowhere.
At first glance, it may even seem legitimate. Maybe your bank needs you to update your account information, so click this link. Or your cellphone provider asks you to change your password for security reasons by visiting some Web address.
But behind those links are sites run by opportunists looking to capture and profit off any sensitive information you provide.
If the technique sounds familiar, that’s because it’s essentially the smartphone equivalent to email phishing. SMS phishing, or “smishing,” may not be brand new to the malware scene, but computer scientists at North Carolina State University discovered a vulnerability this month that puts Android users in particular risk.
The research team, led by Xuxian Jiang, found that a number of Android phones allowed downloaded applications to send fraudulent text messages back to their own devices. The app doesn’t notify the user or even need to ask for permission to access text messaging capabilities, which apps are normally required to do.
The exploit would allow an attacker to develop a fake application (or alter an existing one), get Android users to download it to their phones, and trigger smishing attacks to trick users into sharing private information.
Despite a handful of Android versions floating around, Jiang’s team found that the vulnerability is widespread, ranging from versions 2.2 (nicknamed Froyo) to 4.1 (Jelly Bean). That accounts for more than 90 percent of Android users as of Nov. 1, according to Google’s Developer Dashboard.
“Any app can fake a text message,” Jiang said in a phone interview.
“Almost all Android-based smartphones are vulnerable.”
But the good news is twofold.
First off, Jiang says risk is easy to manage when it comes to smishing, especially if users avoid downloading applications from suspicious publishers.