Researchers at NC State University have discovered a new bug in current versions of Android that would allow malware to spoof the sender of an SMS message. The exploit works on Gingerbread, Ice Cream Sandwich, and Jelly Bean, Google has been made aware of the issue and will be releasing a security patch. 

In the meantime, the team at NC State says they won't be releasing all the specifics of how it's done, but chances are someone will find it now that they know what to look for and what version changes to inspect. This means it's important that you trust any applications you plan on sideloading onto your Android device. Of course, users who pick up a Nexus 4 with the built-in sideload scanner are covered.

The bigger issue, as always, is how long it will take OEMs and carriers to push any fix out to their existing phones. Unfortunately, the answer is either "a long time" or never, so it's up to you to be vigilant. If you get an SMS message from your bank, or school, or anyone who asks for personal or login details, tap the phone icon and call them just to be on the safe side.

Source: NC State University; via Engadget

There are 9 comments

frozencloud says:

I highly doubt i will be getting these security patch for the duration of my contract (which is another year)

"releasing a security patch."

Which means exactly dick since they don't control when that update gets pushed out to handsets.

kennydude says:

This can also be useful for WiFi texting applications, but basically should be covered by a permission to insert rows into the Messaging table.

still1 says:

jerry, you should change the title. there is no new malware. its a new security hole which would allow malware to send txt message.

smirkis says:

so are you saying all it is, is a text i would receive from someone claiming to be someone else? if thats it, not much to worry about. i never send info via text anyway so text me all day

l00natic71 says:

Spam/phishing only needs >1% to be profitable. Sadly, not everyone does like you do and not sent logon/passwords through text/email. The BBC did a test were people would give up their userID/password to a stranger for a piece of candy... in real life, not in this new fangled intertubes

schnoid says:

I would guess that if you're sideloading apps onto your phone, you also have enough sense to ignore texts asking for your username/password :-P This really is kinda dumb. Snazzy little find, but I wouldn't call this a major threat by any means.

DWR_31 says:

Do ppl still use text to get secured info on their phones?

Every bank or secured information company that we use should have a secure official app by now.

mwara244 says:

The "dump people" that scams like this affect, are usually too dumb for android and buy apple