Mobile Threat Catalogue

Intercepting SMS Messages

Contribute

Threat Category: Malicious or privacy-invasive application

ID: APP-17

Threat Description: Prior to Android 4.4, apps granted permissions to SMS messaging functionality had the ability to listen for and receive incoming SMS messages. If the app was registered as the highest priority listener for messages, it could silently (without notice to the user) intercept, read, and dispose of messages intended for other apps. One serious abuse of this was the interception of one-time passwords (OTP) used for two-factor authentication (2FA) sent over SMS. Newer versions of Android do not permit apps with permission to access SMS messaging to receive or dispose of SMS messages directly. Unlike Android, the iOS security model does not permit apps with access to SMS messaging. Malicious apps may still realize this threat following exploitation of OS vulnerabilities that bypass access control on private SMS messaging APIs or achieve arbitrary code execution.

Threat Origin

Dissecting Android Malware: Characterization and Evolution 1

Exploit Examples

New Android Trojan xBot Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom 2

How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication 3

CVE Examples

Not Applicable

Possible Countermeasures

Enterprise

Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.

Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.

Perform application vetting to identify inappropriate behaviors by apps including interception of SMS messages.

Avoid the use of applications that rely on SMS messages for 2-factor authentication.

When stronger 2-factor authentication methods are available, such as FIDO U2F tokens, educate enterprise users to avoid the use of SMS messages for configuring 2-factor authentication for enterprise applications.

Use application threat intelligence data to identify apps that increase risks associated with SMS message interception.

Mobile Device User

Use Android Verify Apps feature to identify apps that may intercept SMS messages.

Avoid the use of applications that rely on SMS messages for 2-factor authentication.

Mobile App Developer

Avoid the use of SMS messages for 2-factor authentication.

References

  1. Y. Zhou and X. Jiang, “Dissecting Android Malware: Characterization and Evolution”, in Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012, pp 95-109; http://ieeexplore.ieee.org/document/6234407/?arnumber=6234407 [accessed 8/25/2016] 

  2. C. Zheng, et al., “New Android Trojan XBot Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom”, blog, 18 Feb. 2016; http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/ [accessed 8/25/2016] 

  3. R. K. Konoth, V. van der Veen, and Herbert Bos, “How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication”, Proceedings of the 20th Conference on Financial Cryptography and Data Security, 2016; http://fc16.ifca.ai/preproceedings/24_Konoth.pdf [accessed 8/25/2016]