Android SMS Malware: Vulnerability and Mitigation

In this paper, we study some messaging design decisions which resulted in a set of vulnerabilities in the Android operating system, and we demonstrate how a malware application can be built to abuse these vulnerabilities. The application presents itself as a regular SMS messaging application and uses its basic permissions to send/receive short messages. Since many operators worldwide provide services that allow users to transfer credits/units through SMS, the application abuses this service to transfer credits from users illegally. The "permission" subsystem, the "broadcast receiver" subsystem, and the message-sending mechanism contribute to forming a haven for SMS malware by granting them absolute control over sending, receiving, and hiding SMS messages. Accordingly, the malicious application hides any acknowledgments from the telecom operator that might appear after a credit transfer transaction. This enables malware to drain the balance of the attacked user and has the potential to cause damage to a large number of users as well as telecom operators. The application was demonstrated on a local operator and it successfully passed standard screening procedures that claim to catch malware. A set of possible solutions are also presented in order to mitigate the risks of such attacks.