Beware of fake SMS if you install APKs directly!

Listen up, folks. Mobile security researchers from NCSU, have identified a new vulnerability in popular Android platforms, including Gingerbread, Ice Cream Sandwich and Jelly Bean, which roughly covers the entire Android ecosystem today. The vulnerability has been confirmed by Google, and will be addressed in a future Android release.

Xuxian Jiang’s research team at NC State has identified an SMS-phishing (“smishing”) vulnerability. If an Android user downloads an infected app, the attacking program can make it appear that the user has received an SMS, or text, message from someone on the phone’s contact list or from trusted banks. This fake message can solicit personal information, such as passwords for user accounts. Jiang says, “users are encouraged to be cautious when downloading and installing apps (particularly from unknown sources). As always, it is important to pay close attention to received SMS text messages, in order to avoid being duped by possible phishing attacks.

Jiang and team have notified the Google Android security team about the threat, and in the interest of responsible disclosure, will publish  the details of the vulnerability, only after Google releases a fix. Most recent Android phones are vulnerable, and users are advised to exercise extra caution when installing apps from unknown sources. While the latest version of Android 4.2, is said to have real-time app scanning inbuilt, other versions of Android are still wide open to potential attacks