There’s a new security vulnerability in the Android world. This one focuses on fake SMS messages that can trick you into sharing information. An associate professor at NC State University, came across this while working on a research project focused on smartphones. Basically, any nefarious application could display a SMS notification on the device and make it appear to come from a person listed in the device’s contacts. Typically, these phishing attempts are aimed at getting unsuspecting users to a fake website where they would enter personal information. What’s worrisome about this particular attack is that the SMS message would appear to be from a known source, making it all the more likely that you will follow the link or attempt to assist in some way.
Google has been made aware of the issue and they have confirmed its existence, and a fix will be issued for this in a future release of Android. And this is where I get a little worried. “A future Android release”? The actual number of devices that get upgrades is pretty small, and considering that this vulnerability dates back to Android 1.6 (Donut), that’s a large number of people left out in the cold. Google should be looking at releasing a patch or hotfix that can be applied to all devices, regardless of them being updated to the newest OS.
I fully expect the hard-core Android community to brush it off by saying that you should be more careful about the applications you choose to install. That’s an old and tired excuse that many used back in the Windows XP days. Yes, you should be careful, but at the same time the OS needs to be responsible for these security holes and they need to take steps to protect their users. Installing anti-virus is only part of the solution, and many don’t want that on their mobile devices. It’s getting harder and harder for me to recommend Android devices to the non-tech savvy user.