Despite Google’s efforts to keep Android safe and secure, researchers at NC State University found a new vulnerability that could lead to phishing via SMS. According to Android Authority, Google has acknowledged the flaw, and has assured to address it in future releases of Android.
Google plans to strengthen the security of Android operating system with the upcoming Android Jelly Bean update. However, the security is limited to applications installed outside Play Store to keep the system secure.
Security researcher Xuxian Jiang’s team at NC State University discovered the SMS-phishing, which has been termed SMSishing (SMS Fishing). The problem begins when the user downloads an infected app which requests to communicate via SMS. Then the program can make it appear that the user has received an SMS from someone in his list.
Upon thorough testing, security researchers found that the SMS vulnerability exists even in the old Android 1.6 Donut apart from recent versions such as Gingerbread (2.3), Ice Cream Sandwich (4.0) and even Jelly Bean (4.1).
This way the fake message can mislead the user to give away login credentials, password, PIN and other personal information. The researchers informed Android Security Team (AST) about this and the AST verified the vulnerability. Google Android Security Team said the vulnerability will be fixed in future updates.
Apple iOS also faced a nasty SMS vulnerability which was reported recently and it is claimed that the vulnerability existed since the first iPhone shipped back in 2007.
SMS Spoofing and SMSishing are two major attacks that can impact millions of users if not addressed quickly. The security teams at both camps (iOS and Android) are working on solutions to fix this without hampering the device, the dependent apps or the user, in any way.