SEND_SMS Capability Leak in Android Open Source Project (AOSP), Affecting Gingerbread, Ice Cream Sandwich, and Jelly Bean

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
Since our discovery of the Smishing vulnerability in AOSP on 10/30/2012, we have recently identified another SMS-related vulnerability in popular Android platforms. This vulnerability allows a running app on an Android phone to inappropriately obtain the capabilty to send SMS messages without actually requesting the appropriate SEND_SMS permision. We believe such a vulnerability can be exploited to send out SMS spams, or to defraud users by texting premium-rate numbers.

Unlike the previous smishing vulnerability, which does not require any permission, this vulnerability does require the exploiting app to request the READ_SMS and WRITE_SMS permissions. However, according to the online AOSP document, READ_SMS allows an app to read SMS messages while WRITE_SMS allows an app to write SMS messages. These two permissions are supposed to have nothing to do with sending messages -- that capability is controlled by the SEND_SMS permission. (In other words, this vulnerability can be characterized as a SEND_SMS capability leak.) Because the vulnerability is contained in the AOSP project, we have the reason to believe that it exists in all recent Android platforms, though we have so far only confirmed its presence in a number of phones running Android Froyo (2.2.x), Gingerbread (2.3.x), Ice Cream Sandwich (4.0.x), and Jelly Bean (4.1).

We notified the Google Android Security Team on 11/1/2012 and so far have NOT been able to get confirmation. As approximately two weeks have passed since our report, we would like to inform the public about this potential risk. As before, we will not publish the details until a fix is released, as a matter of responsible disclosure. So far, we are not aware of any active exploitation of this issue.

In the meantime, this threat can be mitigated in several ways. For example, users are encouraged to be cautious when downloading and installing apps (particularly from unknown sources). Also, it is important to pay close attention to your monthly phone bill and to double check SMS messages sent from your phone. Finally, in this case, exploiting apps must request two permissions -- be skeptical about an app's actual need for the permissions it requests.

Finally, we'd like to encourage the Android Security Team to be responsive in handling reported software bugs. It is for the best interest of Android users worldwide.

Updates:

Last modified: November 14th, 2012