Beware of spoof SMSes that could appear on Android phones

If you have been receiving suspicious text messages on your Android smartphone recently, check if you’ve downloaded any malicious applications of late.

The message is possibly from a rogue source, or it may not even be a real message, but a scam set up to make you think a message has arrived. If you click on it, you’d have been tricked into opening up your phone to attacks.

Just last week, North Carolina State University published a video showing how this was done. Such SMS spoofing can be used for “phishing” attacks, which could trick someone into providing banking credentials or subscribing to paid services.

What is alarming is that some 200 applications now on Google’s Play store use a similar programming code to deliver advertisements, according to security firm Symantec. In an advisory put out on Thursday, it said this was despite the code to create such spoof SMSes being publicly documented and used since August 2010.

Some of the applications use the code to integrate text messaging with instant messaging or other online services, but the vast majority are using an ad network software development kit (SDK) which pushes ads straight into your SMS inbox.

Sometimes, these spoof SMSes are never even sent or received. Instead, the phone’s software that is charge of receiving text messages is tricked into thinking a message has arrived before it stores the text message and notifies the user of the event.

To make things worse, scammers can insert any arbitrary “from address” and they don’t need special permissions from a phone user to insert a spoofed message.

Although Symantec has yet to find any instances where applications use the code for a targeted SMSishing attack, it advises users to watch out for any suspicious incoming text messages.

More details are available on Symantec’s blog.