Recently, CM Security Research Lab has discovered that some homescreen applications contain flaws when receiving SMS messages from unverified sources. Messages from third party applications which have the permissions to edit text messages (android.permission.WRITE_SMS, original system under Android 4.4) can place messages directly into the local SMS database, which are then picked up by homescreen apps as new messages and an alert is sent to the end user. In some cases this setup can be exploited by malicious users to plant fake messages into the database that ordinarily would be caught and stopped by the default Android system, giving them an opportunity to steal information from or cause damage to ordinary users.
As we know, when receiving fake messages which is directly written into the inbox, Android OS will not display an unread count number on the system SMS application.
After analyzing these launcher apps, reports have found that the home screen application pushes SMS notifications by using ContentObserver, which monitors the status changes of the SMS database, reads data of unread messages, and counts the number of unread items, but fails to identify the message source. Owing to this deficiency, malicious SMS messages disguised by third party applications will also be counted as new messages.
We do not suggest that developers completely replace the original SMS application. When receiving messages, the Android OS will launch a series of notification processes to identify the source of messages and then send a notification to users. This process occurs before the message is placed into the inbox, and does not only rely on status changes from within the SMS service database. This mechanism minimizes the possibility of fake texts being pushed through to the end user, so we recommend that home screen app developers study this process and use it as a base for improving the security of their apps.