Unlike the previous smishing vulnerability, which does not require any permission, this vulnerability does require the exploiting app to request the READ_SMS and WRITE_SMS permissions. However, according to the online AOSP document, READ_SMS allows an app to read SMS messages while WRITE_SMS allows an app to write SMS messages. These two permissions are supposed to have nothing to do with sending messages -- that capability is controlled by the SEND_SMS permission. (In other words, this vulnerability can be characterized as a SEND_SMS capability leak.) Because the vulnerability is contained in the AOSP project, we have the reason to believe that it exists in all recent Android platforms, though we have so far only confirmed its presence in a number of phones running Android Froyo (2.2.x), Gingerbread (2.3.x), Ice Cream Sandwich (4.0.x), and Jelly Bean (4.1).
We notified the Google Android Security Team on 11/1/2012 and so far have NOT been able to get confirmation. As approximately two weeks have passed since our report, we would like to inform the public about this potential risk. As before, we will not publish the details until a fix is released, as a matter of responsible disclosure. So far, we are not aware of any active exploitation of this issue.
In the meantime, this threat can be mitigated in several ways. For example, users are encouraged to be cautious when downloading and installing apps (particularly from unknown sources). Also, it is important to pay close attention to your monthly phone bill and to double check SMS messages sent from your phone. Finally, in this case, exploiting apps must request two permissions -- be skeptical about an app's actual need for the permissions it requests.
Finally, we'd like to encourage the Android Security Team to be responsive in
handling reported software bugs. It is for the best interest of Android users worldwide.
Last modified: November 14th, 2012