Millions Download SMS Spoofing Code Found on Google Play

A few days ago, researchers from North Carolina State University published a video demonstrating how an app can simulate the reception of a text message from a spoofed source. SMS spoofing can be used for a number of malicious intentions, including SMS phishing attacks (SMSishing), which could trick someone into providing banking credentials or subscribing to paid services.

The code to perform this action has been publicly documented and in use since August, 2010. However, we have not yet found any instances that use the code for an SMSishing attack. Instead, the vast majority of apps use the code to deliver advertisements, including a couple hundred applications hosted on Google Play.

To send a spoofed SMS message there is no need to send a text message over the air. In fact, a message is never sent or received, instead, the system service in charge of receiving text messages is tricked into thinking a message has arrived—and it will happily store the text message and notify the user of the event. One can specify any arbitrary "from address" for the SMSishing attack and no special permissions are required to insert a spoofed message.

We have recorded more than 250 applications that contain code using this technique including 200 that are currently available on Google Play with millions of combined downloads. Some of the applications use the code to better integrate text messaging with instant messaging or other online services. The vast majority are using an ad network software development kit (SDK), which pushes ads straight into your SMS inbox. However, the network’s ad servers are down at the time of writing.

These applications are identified by Norton Spot and any future malicious usage are detected by Norton Mobile Security. Users should also be wary of the source of any suspicious incoming text messages while Google modifies Android to prevent spoofing of these text messages.