> On July 3rd, I reported this vulnerability to Google via their security vuln program. But on July 17th, Google closed the issue as “Won’t Fix (Infeasible)”, with the assessment that “there are no guarantees regarding the sender ID of SMS messages, and they are known to be spoofable.” While this isn’t wrong, it’s another thing for the OS to completely misrepresent the Sender ID as a genuine phone number. And clearly it’s feasible to fix, because iOS does not have this vulnerability.

> The bug, more precisely, is that Android extracts the numeric characters from the Sender ID, and tries to parse this as a phone number (with the phone’s local dialing prefix – +44 in my case). If it parses, the message is interpreted as from that number. For example, 7890X123456 also parses as +447890123456.

I might be wrong, but it seems like a simple enough bug to fix right? Maybe if there are non-numeric characters in the SenderID it should compare with your contacts _before_ parsing it? So that it would appear as from an unknown user not someone in your contacts? There's definitely more to it but it but it's a start

That's terrifying.