According to the researcher, in an iPhone, the reply-to phone number can be easily changed to display some number other than the number from which the SMS was sent. This can be achieved through a simple procedure whereby a malicious user can manipulate one of the options in the User Data Header (UDH) part of the SMS thereby changing the reply-to number.
If such a message is crafted and the receiver’s handset is compatible with it, in this case and iPhone, and the user tries to reply to such a message the reply won’t be actually going to the number being displayed in “reply-to” but to the original number from which the malicious user had sent the SMS. The thing that makes it worse is that most of the carriers don’t check for this part of the message.
How can this be used maliciously? The researcher explains that an attacker can send messages to gullible users such that they appear to be coming from a trusted source — may be a bank or some your carrier itself, but, when the user tries to reply to that SMS, it will get routed to the actual phone number of the attacker without the user’s knowledge.
This flaw is not restricted to the iPhone. If a phone is able to correctly understand the UDH, that phone is vulnerable to such an attack. Pod2g warns that this flaw is severe and users need to tread carefully when sending sensitive and confidential information as SMS.