An SMS can force a URL or app on smartphones

[Brian Warkoczeski]

An SMS can force a URL or app on smartphones

by Elinor Mills

July 30, 2009

LAS VEGAS--In one of a handful of SMS-related presentations here at the 
Black Hat security show, researchers demonstrated on Thursday how they 
can force certain types of smartphones to visit a malicious URL or 
install an app without user approval.

The vulnerability only affects phones that have been misconfigured by 
the original equipment manufacturer so that they accept any message sent 
through WAP Push (Wireless Application Protocol), a service that runs on 
top of SMS, said researcher John Hering.

WAP Push messages should only be accepted when sent by a trusted party 
such as the mobile operator, said Hering, chief executive of Flexilis, 
which provides software for protecting mobile phones from attack.

The vulnerability spans all Windows Mobile devices including HTC, 
Motorola, and Samsung, but not all of any one make or model of phone is 
found to be vulnerable, only random ones, he said.

For rest of article, see:

http://news.cnet.com/security/?tag=hdr;snav