Google Removes SMS App After Researcher Presents Details of Flash SMS Vulnerability
The HushSMS app had been on Google Play since February 2012
Last week, at the DefCamp security conference, researcher Bogdan Alecu presented a way to reboot Google Nexus devices by sending class 0, or Flash SMS, messages. Shortly after, Google removed an app that could be used to send such messages from Google Play.The application in question, HushSMS, had been available on Google Play since February 2012. Now, after Alecu presented his findings, the app was removed for policy violations.
The app’s developer, Michael Mueller, says the program was removed from both Google Play and AndroidPit.
While AndroidPit removed it without any explanation, Google noted that the app was deleted for “violation of the dangerous products provision of the Content Policy and sections 4.3 and 4.4 of the Developer Distribution Agreement.”
“HushSMS is an app that can send messages in accordance to the 3GPP Specification 23.040 ‘Technical realization of the Short Message Service,’ and some other specifications like OMA WAP,” Mueller said via email.
“So all HushSMS does is provide users the possibility to use the GSM Network like it is specified. So if Google decides to remove an app that just uses the GSM network the way it is designed and officially specified, they also have to remove any SMS app from the Play Store as they just do the same. They can send SMS messages – not more, not less.”
It’s worth noting that Mueller has also developed the Class0Firewall app that protects Google devices against the Flash SMS attacks presented by Alecu.
Alecu also believes that the timing is curious, to say the least.
“Google has demonstrated that it's easier to ban an application than to actually fix a bug, considering there are also other applications which allow the sending of Class 0 type messages,” the researcher told us.
“I consider their reaction to be unprofessional in this case and I find it strange they removed HushSMS from their store just a couple of days after I've decided to go public with the Class 0 SMS bug in Android.”
We’ve reached out to Google to hear their side of the story. However, we haven’t received a response until press time.