One serious aspect of the vulnerability is that it does not require the (exploiting) app to request any permission to launch the attack. (In other words, this can be characterized as a WRITE_SMS capability leak.) Another serious aspect is that the vulnerability appears to be present in multiple Android platforms -- in fact, because the vulnerability is contained in the Android Open Source Project (or AOSP), we suspect it exists in all recent Android platforms, though we have so far only confirmed its presence in a number of phones, including Google Galaxy Nexus, Google Nexus S, Samsung Galaxy SIII, HTC One X, HTC Inspire, and Xiaomi MI-One. The affected platforms that have been confirmed range from Froyo (2.2.x), Gingerbread (2.3.x), Ice Cream Sandwich (4.0.x), and Jelly Bean (4.1).
We notified the Google Android Security Team on 10/30/2012 and were -- as always -- impressed to receive their response within 10 minutes. The confirmation of the vulnerability presence arrived on 11/1/2012 -- two days after our initial report. From their response, we can infer that they took this issue seriously and investigated it without delay.
The vulnerability is now confirmed and we was told that a change will be included in a future Android release. We are not aware of any active exploitation of this issue.
For responsible disclosure, we will not publish the details of the vulnerability until an ultimate fix is out. However, we would like to inform the public about the potential risk, which is the reason why we have created this webpage.
Before the ultimate fix is out, this threat can be mitigated in several ways. For example, users are encouraged to be cautious when downloading and installing apps (particularly from unknown sources). As always, it is important to pay close attention to received SMS text messages, in order to avoid being duped by possible phishing attacks.
Finally, we'd like to thank the Android Security Team for
verifying the presence of this vulnerability and keeping us informed
as this fix progresses.
Last modified: November 28th, 2012