Today we’re getting a bit of alarming news, with researchers at NC State University discovering a SMS-phishing flaw in multiple Android platforms. The flaw allows malicious apps to create and “send” fake SMS messages to the user, potentially getting them to hand over personal information. The good news is that Google got to work on a patch for the vulnerability shortly after it became aware of the issue, so at least the big G is acting fast in this case.





NCSU researcher Xuxian Jiang writes that there are major causes for concern with this vulnerability: the first is that the app doesn’t need to ask for permission before performing the exploit, and the second is that it’s been found to affect a number of Android platforms due the fact that the vulnerability is in the Android Open Source Project. Though the researchers have only confirmed its existence on a handful of phones – including the Galaxy S III, Nexus S, and Galaxy Nexus – the vulnerability is present in Gingerbread, Ice Cream Sandwich, and Jelly Bean.

That means the problem could potentially cause headaches for a lot of different users, but thankfully, NCSU says that they “are not aware of any active exploitation of this issue.” NCSU isn’t going to show how to take advantage of this vulnerability, thus proving it exists, until Google has delivered a fix. Instead, the researchers merely wanted to warn people of this vulnerability so no one falls victim to this SMS-phishing schemes.

What’s particularly nerve-wracking about this vulnerability is that it can make these bogus text messages appear to be from people in your phone book or banks. It goes without saying that you should be suspicious of text messages asking you to hand over personal information. Keep it tuned here to Android Community, as we’ll update you once we hear more on the situation.

[via NCSU; via The Abstract]