Millions Have Downloaded SMS Spoofing Android Apps

Android applications that can spoof SMS messages, potentially for scam campaigns, have been downloaded by millions, according to security firm Symantec.

The vendor said it had recorded 200 available applications on the official Google Play market, although some only contain the SMS spoofing code to “better integrate text messaging with instant messaging or other online services”.

But many are using it for aggressive advertising purposes, using an ad network software development kit (SDK) to push ads straight into SMS inboxes. Others could be using it for more malicious means, to send links to malware downloads, or asking for sensitive information, such as bank account details, in what are known as SMSishing attacks.

SMS spoofing fears

“Users should … be wary of the source of any suspicious incoming text messages while Google modifies Android to prevent spoofing of these text messages,” Symantec said in a blog post.

“However, we have not yet found any instances that use the code for an SMSishing attack. Instead, the vast majority of apps use the code to deliver advertisements, including a couple hundred applications hosted on Google Play.”

Despite Symantec’s note of caution on SMSishing scares, many are concerned about the ability for apps to push texts to users without actually sending the message across a network. Instead, the apps manipulate the phone to make it appear.

As shown by researchers from North Carolina State University last week, it is possible for apps to access users’ address books to make it appear as though the text comes from a contact. That’s ideal for SMSishing campaigns which seek to make malicious messages appear legitimate.

Researchers claimed there was a vulnerability in Android. They said it meant an exploiting app did not have to request any permission to launch a SMSishing attack.

According to the team, Google is working on a fix for the flaw for the next release of Android.

Are you a security pro? Try our quiz!