A few days ago, researchers from North Carolina State University published a video demonstrating how an app can simulate the reception of a text message from a spoofed source. SMS spoofing can be used for a number of malicious intentions, including SMS phishing attacks, which could trick someone into providing banking credentials or subscribing to paid services. So, if you have been receiving suspicious text messages on your Android smartphone recently, check if you’ve downloaded any malicious applications of late.

The message is possibly from a rogue source, or it may not even be a real message, but a scam set up to make you think a message has arrived. If you click on it, you’d have been tricked into opening up your phone to attacks.

What is alarming is that some 200 applications now on Google’s Play store use a similar programming code to deliver advertisements, according to security firm Symantec. In an advisory put out on Thursday, it said this was despite the code to create such spoof SMSes being publicly documented and used since August 2010.

Some of the applications use the code to integrate text messaging with instant messaging or other online services, but the vast majority are using an ad network software development kit (SDK) which pushes ads straight into your SMS inbox.

Sometimes, these spoof SMSes are never even sent or received. Instead, the phone’s software that is charge of receiving text messages is tricked into thinking a message has arrived before it stores the text message and notifies the user of the event.

To make things worse, scammers can insert any arbitrary “from address” and they don’t need special permissions from a phone user to insert a spoofed message.

So indeed, while more API’s, more access could help to make the phone or user experience more enhanced, it does bring about more security risks. Convenience vs security, which will you opt for?

Via Symantec