
Smear phishing: how to scam an Android user - jamesfisher
https://jameshfisher.com/2020/08/06/smear-phishing-how-to-scam-an-android-user/
======
flanbiscuit
> On July 3rd, I reported this vulnerability to Google via their security vuln
> program. But on July 17th, Google closed the issue as “Won’t Fix
> (Infeasible)”, with the assessment that “there are no guarantees regarding
> the sender ID of SMS messages, and they are known to be spoofable.” While
> this isn’t wrong, it’s another thing for the OS to completely misrepresent
> the Sender ID as a genuine phone number. And clearly it’s feasible to fix,
> because iOS does not have this vulnerability.

> The bug, more precisely, is that Android extracts the numeric characters
> from the Sender ID, and tries to parse this as a phone number (with the
> phone’s local dialing prefix – +44 in my case). If it parses, the message is
> interpreted as from that number. For example, 7890X123456 also parses as
> +447890123456.

I might be wrong, but it seems like a simple enough bug to fix right? Maybe if
there are non-numeric characters in the SenderID it should compare with your
contacts _before_ parsing it? So that it would appear as from an unknown user
not someone in your contacts? There's definitely more to it but it but it's a
start

------
kn100
That's terrifying.

