Proof of Concept app which takes advantage of Android's SmsReceiverService
being exported to fake an incoming SMS with no permissions.
On 2012-10-30 NCSU notified Google about a "Smishing" vulnerability (1) in Android. The vulnerability appears to be due to Android exporting SmsReceiverService
in the com.android.mms
app with no apparent restrictions. A third party app can therefore pass an explicit Intent to the SMS app containing a fake SMS message and the SMS app will process it.
This issue has been known about and used for some time (2,3,4) by test apps and apps designed to intercept, alter and pass on SMS messages. NCSU were the first to publically highlight the security vulnerability that arises from this functionality, namely that a user can be tricked into taking action on a faked SMS message.
Google commited a fix to Android 4.2_r1 a few days after notification on 2012-11-02.
This PoC app simply wraps existing code already made public so that the issue can be validated and countermeasures designed while users wait for the patch.