A few days ago, researchers from North Carolina State University published a video demonstrating how an app can simulate the reception of a text message from a spoofed source. SMS spoofing can be used for a number of malicious intentions, including SMS phishing attacks (SMSishing), which could trick someone into providing banking credentials or subscribing to paid services.
Although the code has been publicly documented and used since August, 2010, Symantec has yet to find any instances that use the code for an SMSishing attack. Instead, the vast majority of apps use the code to deliver advertisements, including a couple hundred applications hosted on Google Play. Symantec has recorded more than 250 applications that contain code using this technique including 200 that are currently available on Google Play with millions of combined downloads.
To send a spoofed SMS message there is no need to send a text message over the air. In fact, a message is never sent or received, instead, the system service in charge of receiving text messages is tricked into thinking a message has arrived—and it will happily store the text message and notify the user of the event. One can specify any arbitrary "from address" for the SMSishing attack and no special permissions are required to insert a spoofed message.
Some of the applications use the code to better integrate text messaging with instant messaging or other online services. The vast majority are using an ad network software development kit (SDK), which pushes ads straight into your SMS inbox. However, the network’s ad servers are down at the time of writing.
Users should be wary of the source of any suspicious incoming text messages while Google modifies Android to prevent spoofing of these text messages. These applications may be identified by Norton Spot and any future malicious usage are detected by Norton Mobile Security.
Friday, November 9, 2012
Symantec Security Response: Millions Download SMS Spoofing Codes Found on Google Play
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment