Android users, beware of ‘smishing’

11/24/2012 12:00 AM

11/23/2012 5:41 PM

The text message can come out of nowhere.

At first glance, it may even seem legitimate. Maybe your bank needs you to update your account information, so click this link. Or your cellphone provider asks you to change your password for security reasons by visiting some Web address.

But behind those links are sites run by opportunists looking to capture and profit off any sensitive information you provide.

If the technique sounds familiar, that’s because it’s essentially the smartphone equivalent to email phishing. SMS phishing, or “smishing,” may not be brand new to the malware scene, but computer scientists at North Carolina State University discovered a vulnerability this month that puts Android users in particular risk.

The research team, led by Xuxian Jiang, found that a number of Android phones allowed downloaded applications to send fraudulent text messages back to their own devices. The app doesn’t notify the user or even need to ask for permission to access text messaging capabilities, which apps are normally required to do.

The exploit would allow an attacker to develop a fake application (or alter an existing one), get Android users to download it to their phones, and trigger smishing attacks to trick users into sharing private information.

Despite a handful of Android versions floating around, Jiang’s team found that the vulnerability is widespread, ranging from versions 2.2 (nicknamed Froyo) to 4.1 (Jelly Bean). That accounts for more than 90 percent of Android users as of Nov. 1, according to Google’s Developer Dashboard.

“Any app can fake a text message,” Jiang said in a phone interview.

“Almost all Android-based smartphones are vulnerable.”

But the good news is twofold.

First off, Jiang says risk is easy to manage when it comes to smishing, especially if users avoid downloading applications from suspicious publishers.

Editor's Choice Videos

Join the Discussion

The State is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere on the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Terms of Service