MessageMe SMS spam

there’s a round of spam (herein defined as copies of unsolicited messages that are delivered through electronic means) SMS on-going to get pple to install the Message Me app that reads something like:

“Get MessageMe (followed by a http colon slash slash msg dot me slash something something)”


and there’s a fb status warning pple of its “severity” being shared:

“If u received SMS fm MessageMe, don’t click the link. Ignore & delete. It’s a spam virus going around. Once u click the link , the same SMS wil be sent out to ALL the contacts in your hp. And max out your SMS quota.text from Members”

out of curiosity and to be extra cautious, I checked out the URL with a browser running linux. the URL behaves like a redirect URL that leads you to d/l the app.

the origin of the SMS I’ve received two days ago is unknown. but the ‘severity’ may not as serious as the fb status that’s going around, cos like some forumers were saying, if the redirect URL can steal and max out your SMS quota, there exists a SERIOUS vulnerability in BOTH iOS and Android. chances of this is extremely extremely slim.

so what you could do is this:
(1) don’t support MessageMe for it’s spamming attempt (and other apps who do the same in future);
(2) ignore/delete the SMS, and beware of similar SMSes in future cos we won’t know one day a vulnerability could exists on more than one OSes at the same time and be exploited by crackers out there (:

p.s. Thanks to Vincent for pointing out this possibility:

would it be possible that the URL will detect the OS and redirect to a different URL? E.g. it detects that the browser is calling the URL from a Android phone and redirect to a APK, which would usually prompt the user to confirm installing the app. If the user confirms, the newly installed app could possibly read the phone contacts and spam out SMSes.

i agreed to this possibility and i thought this is a cleverer way to spam. but i still maintain that by clicking on the link itself (without installing the app) and SMSes will be sent out points to a severe vulnerability in both iOS and Android; such a case is extremely unlikely here.

pps. on further thought, if one’s contact list contains 2000 phone numbers, there is a chance of ‘maxing out’ one’s sms quota indeed if all 2000 phone numbers become recipients of the spam :O is the app kind enough to stop at a maximum cap (but will the phone know what’s your free SMS quota?), or will it just send out the maximum possible number of contacts in the phone? scary thought if one does not have unlimited SMSes and one’s no. of contacts exceeds one’s free SMS quota in a month :O