Not too long ago, researchers from North Carolina State University published a video demonstrating how an app can simulate the reception of a text message from a spoofed source. Through SMS spoofing, it can be used for a number of malicious intentions, including SMS phishing attacks (SMSishing).
Although the code has been publicly documented and used since August 2010, Symantec has yet to find any instances that use the code for a SMSishing attack. However, its findings reveal that a vast majority of apps use the code to deliver advertisements. Symantec has recorded more than 250 applications that contain the code that uses this technique including 200 apps that are currently available on Google Play.
So, what is a spoofed SMS message? The message is never sent or received, instead, the system service in charge of receiving text messages is tricked into thinking a message has arrived. It will store the text message and notify the user of the event. This phishing attacks can specify any arbitrary "from address" for it to attack and no special permissions are required to insert a spoofed message.
Users should be wary of the source of any suspicious incoming text messages while Google improves its Android platform to prevent spoofing of these text messages. According to Norton, "these apps may be identified by Norton Spot and any future malicious usage is detected by Norton Mobile Security."