PoC app which takes advantage of Android's SmsReceiverService being exported to fake an incoming SMS with no permissions.
Java
Latest commit b35b888 Dec 14, 2012 @thomascannon Update README.md
Failed to load latest commit information.
SMSSpoofer
.gitignore Initial commit Nov 2, 2012
README.md Update README.md Dec 14, 2012
screenshot-2012-11-03-025014.png

README.md

Android SMS Spoofer

Proof of Concept app which takes advantage of Android's SmsReceiverService being exported to fake an incoming SMS with no permissions.

On 2012-10-30 NCSU notified Google about a "Smishing" vulnerability (1) in Android. The vulnerability appears to be due to Android exporting SmsReceiverService in the com.android.mms app with no apparent restrictions. A third party app can therefore pass an explicit Intent to the SMS app containing a fake SMS message and the SMS app will process it.

This issue has been known about and used for some time (2,3,4) by test apps and apps designed to intercept, alter and pass on SMS messages. NCSU were the first to publically highlight the security vulnerability that arises from this functionality, namely that a user can be tricked into taking action on a faked SMS message.

Google commited a fix to Android 4.2_r1 a few days after notification on 2012-11-02.

This PoC app simply wraps existing code already made public so that the issue can be validated and countermeasures designed while users wait for the patch.

Download APK

Screenshot