Homescreen Applications on Android found vulnerable to Phishing Scams

Wednesday, August 30, 2017

Homescreen applications are basically the launchers or widgets which you use on your Android device to make it look good, according to your taste. It also provides a user with cool features which makes it more convenient  to use. Here comes the Cheetah Mobile into the scene, which found the applications vulnerable to Phishing Scam. CM is known to be the best security team to detect malware or potential threats on Android OS. It also helped in detecting Hide icon, proxy and some more threats to Android.

And for a personal suggestion, I would really suggest you to install CM Security to keep your Android device secure.

Specifically, the Leak detection System of the CM Security Research Lab discovered a list of applications which can be affected if the attacker wants to execute a phishing scam. 

What actually happens?

notification
APUS notification (Example)

When we install an app, it asks for certain permissions and after allowing the permissions the app gets installed. The permissions should be read by a user to know what the app can control and have access to.

Here, in this vulnerability, there is a specific permission android.permission.WRITE_SMS which allows the Android system to place the messages directly into the Local SMS database. Fortunately, the Android system default messaging app doesn’t show an unread message notification. But, the launchers or widgets which were found vulnerable, fail to verify the source of the message and hence, start treating fake SMS as the real one which is displayed as unread.

So, the user simply opens the message which has been sent by an attacker. The SMS sent by an attacker who plans to execute a phishing scam will always send the SMS looking as a legit message and by any means (clicking on a link or getting redirected to a phishing site).

unread notification
Unread SMS

Normally, this is carried out by sending push notifications over the network which is an easy task for an attacker, but the 3rd party applications fail to verify the source and get affected by phishing scams. However, the applications include launchers and specific notification widgets which you use to get fancy notifications.

Which Android versions are vulnerable?

The android.permission.WRITE_SMS permission is found on Android versions below 4.4 KitKat. After KitKat 4.4 this has been fixed. So, you can relax if you have either KitKat 4.4 or above. But wait! Unfortunately, customized ROMs based on KitKat ( Like TouchWiz, MIUI etc ) may be affected, as mentioned by CM Security Research Lab.

And there’s a good news for CyanogenMod users, it is completely safe from this vulnerability. You may also read 5 reasons why CyanogenMod is better than the Stock ROM, if you are not a cyanogen user then you should know about it.

Now, that you have known the vulnerable Android versions and how it works, we should also know which are the applications listed by CM Security reported to be affected.

Affected Systems 

  •     Below Android 4.4 KitKat –  Affected
  •     Funtouch – Affected 
  •     flymeOS – Affected
  •     Above 4.4 KitKat ( Including KitKat ) – Unaffected
  •     CyanogenMod – Unaffected 

 

 

You May Also Like – Top 3 Extreme Budget Smartphones


There’s a possibility of other custom systems too, which may be vulnerable to this. And, I would suggest upgrading your device to the latest update provided by the manufacturer. If there’s no upgrade available for your device and you are concerned about the security, then you should opt for a new device running on the latest OS. 

 

Affected Applications

  • APUS Notification
  • Lazy-Swipe
  • GO Launcher
  • 360 Launcher
  • EverythingMe Launcher
  • Square Dodol Launcher Theme
  • Dodol Launcher
  • Hola Notification
  • Launcher 8 Free
  • MXHome Launcher 3.1.0
  • Solo Launcher
  • C Launcher

The CM Security officials have reported this vulnerability to the respective app developers. So, we should see an update soon with the vulnerability fixed. If you are using these apps, then do update it regularly.

A freelance tech journo who started TechLegends. He has had bylines at a variety of publications that include Ubergizmo, It’s Foss, WindowsReport, TechLila, TechReviewPro, and Tech Cocktail. You will usually see cats dancing to the beautiful tunes sung by him. He is also keeping up with his B.Tech in Comp. Sc.

LEAVE A REPLY

Please enter your comment!
Please enter your name here