Samsung Galaxy S4 Contains Serious Smishing Vulnerability, Firm Warns


A security firm is warning about as serious security vulnerability in Samsung's Galaxy S4 devices, claiming that attackers can use it to silently send text messages.

Qihoo 360 Technology, an antivirus company based in China, said its engineering team discovered the vulnerability June 17. It can potentially be used by SMS Trojans to silently rack up premium text messaging charges.

"The vulnerability has been promptly reported back to Samsung after the discovery and Samsung is already in the process of developing an official update to fix the reported vulnerability," Qihoo said in a statement about the vulnerability. Samsung did not respond to a request for comment from CRN.

[Related: 10 Mobile Security, BYOD Privacy And Security Myths]

Qihoo posted details about the vulnerability on its US Facebook page and its website. The flaw is related to a cloud backup feature in Galaxy S4. A rogue mobile application could contain code exploiting the vulnerability to send fraudulent scam text messages ordering premium-rate services, the firm said. It can also be used to fake incoming SMS messages for phishing scams.

"By exploiting the vulnerable cloud backup feature, malware could pretend to be the identity of any contact, friend, relative, or company/organization (including your banks) when faking phishing SMS messages," the firm said. "When these phishing SMS messages are received, users may be tricked into clicking fraudulent links or disclosing sensitive personal information."

Qihoo recommends S4 users temporarily disable the cloud backup feature when not in use. Users of the firms' Android mobile security app, 360 Mobile Security are protected by the issue.

Security firms have been warning about the precipitous increase in Android malware. More than half of the threats are SMS Trojans.

While mobile malware and malicious applications get headlines, channel experts tell CRN, that the focus is primarily on helping customers control corporate data when an employee loses a device or reports it stolen.

Pete Greco, vice president of sales and technology at Productive Corp., said many firms are either introducing their own devices or using Microsoft ActiveSync to enforce basic policies, such as maintaining a device passcode and remote wipe capabilities. Businesses may be turning to their endpoint security vendors for assistance because mobile security capabilities are often bundled with endpoint security software, Greco said.

"There is a potential risk if someone who has wide open access through their cell phone is targeted and it is used as a conduit back to the email server or application server," Greco said.

Samsung, Apple and other smartphone makers have dealt with a variety of firmware errors. Official updates are pushed out by mobile carriers and often slow to make it to device owners, say security experts. Security firms in March warned about a vulnerability in the Galaxy Note 2 that enabled people to Bypass the device lock screen. Similar issues were reported in the iPhone. Software updates fixed those vulnerabilities.