Varutra revealed an issue in the text message notification implementation of Google’s Android operating system which may lead to compromise of user’s Google account, associated with the mobile number of an Android device.
Varutra research team “KALP@Varutra” discovered that, by default, the contents of text messages (SMS) received are displayed on the notification area of the device even if the device is in locked mode. To reset the Google account password, Google sends a verification code on a text message to the mobile device of the user. In case of an Android device, this verification code can be read from the notification area, and thus be used to reset the victim’s account credentials. The only pre-requisite for such an act to be successful is for the malicious user to know the victim’s Gmail ID where victim has set his android phone number with the target Android device.
Consider a scenario where in, a malicious user wants to compromise the victim’s Google account and has visibility to the victim’s mobile screen:
As per security best practices, the verification code must meet the necessary complexity requirements of being more than 8 digit alphanumeric code, making it difficult to memorize. Also, it should be made random i.e. should change on every new request.
The issue was tested and found to be affecting Android version prior to 4.0.
Written By,
Attack & PenTest Team,
Varutra Consulting
Introduction In the era of digitalization, data security has become a paramount concern. Every day,…
I.Introduction Bluetooth has become an integral technology for billions of smartphones, computers, wearables, and other…
I. Introduction In today's ever-evolving cybersecurity landscape, staying ahead of adversaries has become a challenge.…
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…