Can a link in a text message contain a virus?

Like Elaine Benes, I have a common fake name and address that I give to spammers. No house exists at that address. Today, I received a text message, “Dear Daniel” (my fake name), “This is Joey, your delivery guy.” Joey claims he tried to deliver a package (I’ve never asked for anything) . Joey wants to know when he can deliver it. [Suspicious link removed by moderator.]

What could happen if I put my finger on the link?

Please do not post suspicious links, especially one that seems as dicey as this one. I have removed the link. This is closed.

Colibri
GQ Moderator

Reopened by request.

I asked for this to be reopened (thanks @Colibri ) because there is some stuff to talk about here…

The majority of links in spam/scam messages and emails are some sort of phishing attempt, so the link would take you off to a web page that pretends to be something it isn’t, which will try to trick you into entering personal details, passwords, bank info, etc.

That’s the majority case. But there are risks of worse outcomes, by which I mean: things that will cause damage from a single click (or tap, on a mobile platform).
Because:

  • At any given time, there will be unpatched vulnerabilities in almost any kind of software, including mobile platforms
  • The web server hosting the target of the link will usually know what sort of device is requesting the content (so it can potentially serve up a piece of malware specific to iOS, Android, Desktop Chrome, whatever)

In the last 12 months when I worked in IT, I had to clean up two separate cases where a single click on a link had compromised a user’s accounts or system - if anyone tells you that a single click on a link can’t possibly be dangerous, they are simply wrong. It’s not the most common form of attack by link, as I say, but it exists, and is not going away.

The sensible approach with links in emails and text messages is to distrust by default. Unless you have very clear and specific reasons to explicitly believe the link is trustworthy (so for example that could be if you just requested a password change, and you get a confirmation request, and the domain checks out), just don’t click links in emails or texts.

The user interface of the texting app itself is a vulnerability: To delete a message in my Android texting app one needs to long-press it and then choose “Delete”. Fumble that and short-press it instead and you’ve just clicked something dangerous. Messages need to be deletable without interacting with them.

With the right kind of vulnerability, simply receiving a text could compromise your phone. This isn’t entirely theoretical: Apple devices once had a texting bug that could reboot your phone, and Android had a bug where receiving a picture over SMS could infect your phone with a virus.

The messaging service is just a program and when it receives a text it does some processing on it, even if you don’t look at the message. That processing can be buggy, leading to a security hole. And since messaging apps tend to have a pretty wide set of permissions (access to contacts, photos, the text service itself, etc.), vulnerabilities can be pretty bad.

Fortunately, there don’t seem to have been any recent bugs like this, so I guess both Apple and Google have started taking things more seriously. But it’s still a theoretical possibility.

As for the OP’s actual problem, I agree that it was almost certainly a phishing attempt. Unless you work for an Iranian nuclear facility.

In general, assume the worst, and work backward from that, based on evidence and calm reason.

Assume the person calling from your bank is a thief, until and unless you find compelling evidence to the contrary.
Assume the link in an email will destroy your computer and compromise your accounts, until you find a solid reason to believe otherwise.

Different apps are different of course, but is that the only way to delete a message on your app?

e.g. for my app, I can do as you say.

Or from the hamburger menu I can select the delete mode. Once that mode is selected selected a selection checkbox appears next to the messages which can be safely tapped long or short to select. Any links in the message itself are dead. Then finally a delete prompt at the bottom deletes all the checked messages.

It’s more steps, but it’s also a lot safer against an inadvertent tap on a dangerous link.

I have an Android phone, on which I delete texts by touching the three dots in the upper right corner. That brings up a menu containing "Delete message:, “Notification type”, and “Block number”; selecting “Delete message” brings up a process like what @LSLGuy mentions except there’s also a “delete all” button at the top if there’s more than one message.

Thank you @skywatcher and @LSLGuy, I never noticed that hamburger button at the top right of the text app. I so rarely delete texts. Appreciate you pointing it out to me, it’s a much safer method to delete suspicious texts.