A newly discovered vulnerability affects most Android phones and leaves users open to "smishing" attacks delivered through deceptive text messages.
"The vulnerability allows a running [untrusted] app on the phone to fake an incoming SMS text message," Xuxian Jiang, the North Carolina State University professor who discovered the vulnerability, said in an email to Network World.
"One serious aspect of the vulnerability is that it does not require the (exploiting) app to request any permission to launch the attack," Jiang said in a synopsis of his research that he posted online.
The flaw, according to Jiang, lets an attacker to "spoof" a text message's originating number, such as a contact in a phone's address book or a bank.
"For responsible disclosure," Jiang wrote, "we will not publish the details of the vulnerability until an ultimate fix is out."
Within 48 hours of receiving word of the vulnerability, Google acknowledged the flaw, eliciting praise from Jiang.
The vulnerability has been confirmed to affect several production versions of Android, including Android 1.6 (Donut), 2.2 (Froyo), 2.3 (Gingerbread), 4.0 (Ice Cream Sandwich) and 4.1 (early Jelly Bean ).
Android 3.0 (Honeycomb), which runs on tablets only, and Android 4.2. (late Jelly Bean), which has not yet been widely released, were not tested, but the researchers suspect the flaw affects them too.
Jiang said researchers were able to demonstrate the flaw on several top-selling Android phones, including Samsung's Nexus S, Galaxy Nexus and Galaxy S III and HTC's One X and Inspire.
Jiang is the founder of the Android Malware Genome Project and has led teams that have found several other critical Android security flaws.