Information Age, now basically everyone has a mobile phone, in reality, you may receive a relative's text message or phone call is to show "family" name, but you carefully look at the number, this is not your friends and relatives mobile phone number, this is how it? Recently, the national well-known hacker Security organization Oriental Alliance has demonstrated this technology: "If you can receive a message from your friend, then only later found that it is not really from your friends?" After using the contact frame on iOS, I was surprised to find that this was a very realistic possibility. Both Apple and Google have been notified (the same attack may also apply to Android devices). I didn't include the source code, but implementing this would be a simple task. ”
Attack
You are a technically savvy smartphone user who receives a message from a known contact, possibly even a family member. For you, the message actually comes from the attacker and may contain a phishing link, question or action that you would never consider getting from a stranger ... But from a trustworthy contact, that worry is almost gone.
Messages from an analog contact
The message backwards and forwards is also possible. You can reply to (guess) a trusted contact and return a reply from the attacker. At the same time, the impersonating contact doesn't know what's going on.
Reply from a fake contact
After (or even) you realize what happened, you may not guess how. Perhaps you would think that this is the sender's device being "hacked". In fact, the real reason may have long since disappeared from your device ... Applications that you uninstalled a few months ago may not even be available on AppStore.
How did this happen?
After careful examination, the trusted contact assigns an additional number to its contact card. It is this number that facilitates the exchange of messages between attackers and target users. At some point in the past, maybe even months or years ago, you installed an application. The application may have completed its function to complete the function it claims. In addition to these things, the app does the following:
1. Ask you to provide your phone number during setup (may be used for two factor authentication)
2. Ask for permission to access your contacts
3, both of these are quite common application behavior. As long as the functionality of the application guarantees access to this information, many users will not think twice. Also, under the guise of providing real-world functionality, the application chooses the target contact and silently adds an additional phone number. Your phone number and the target contact data will be sent to an attacker who will store this information for later use.
Contact Permissions Dialog
All the attackers need to do now is send a message from a number silently added to the trusted contact entry. Your device will display it as a message from a matching trusted contact ... It wouldn't be better. For greater results, applications can apply heuristics when selecting Target contacts, like "Papa" and "Mom", or contacts with nicknames.
How this can be resolved
iOS currently only assigns one contact permission, while granting read and write permissions. At the very least, separating these permissions seems reasonable. It is also advisable to record the application for each edit, which may allow some sort of reversal or blacklist to be applied to maliciously edited numbers. A good solution is to do all of these things while providing a UI signal when the first time you receive a message from the app's edit number.
What should you do?
Allowing applications to access your contacts means that you have a great trust in your application. Before granting permissions, make sure you are satisfied that they have full read and write access to your address book ... Small apps from unrecognized publishers may not match the description. Large branded applications are unlikely to perform the malicious behavior described (which I believe is somehow illegal).
? As mentioned earlier, the Eastern Alliance hacker security experts said that both Apple and Google have received notice. Google has flagged the issue as "not going to work" and Apple has said it wants to see this behavior in the application review process. Although the intent to pursue this malicious behavior is best during application review, the application may only activate the behavior after a certain date, allowing it to pass the audit without problems. At the moment, the best advice I can give is to make sure that you don't allow apps to access your contacts unless they come from a trusted, designated publisher.
Smart phone security: How hackers secretly control your mobile phone number