Researchers at NC State University have discovered a vulnerability that allows a zero-permission App to fake SMS messages and thus lead to potential SMS Phishing (or SMiShing). By creating fake SMS messages from legitimate looking sources, a mal-ware app could fool a user into clicking on a link to a rogue site with the intension of phishing for personal information. While this process is not new and even Apps that create fake SMS messages have been around for while, this vulnerability allows an App to do so without asking for any SMS permission.
Google has confirmed this vulnerability as of 11/1/2012 and promised a fix/update in future Android versions. Affected versions of Android include Froyo (2.2.x), Gingerbread (2.3.x), Ice Cream Sandwich (4.0.x), and Jelly Bean (4.1). Researchers even confirmed it all the way back to Android 1.6.
As more unfolds on this issue, we’ll keep you updated. In the meantime, please watch the “SMiShing Vulnerability Demo in Android” video below.