Android - Can the RECEIVE_SMS permission be used to intercept SMS messages?

Yes, it can, but only on Android 4.3 and lower. This is used for example in Whatsapp. When you activate the app, Whatsapp sends an SMS to the number you reported, and the app intercepts it quietly and reports to the servers that it has received the SMS. This is how the account is tied to your number.

Of course, this can be used in harmful apps also. If an app registers as an SMS receiver with the highest priority, the app can listen for incoming SMSs, process them and either dismiss them without the user ever noticing, or forward to the next SMS listener with the second-highest priority.

This has been redone in Android 4.4, and if I understood correctly, only the default SMS app has access to all incoming SMS (SMS_DELIVER_ACTION), and the other apps with correct permissions will only receive a notification of the incoming message (SMS_RECEIVED_ACTION). In addition, the SMS_RECEIVED intent is non-abortable, it can't be stopped. I assume that in Android 4.4, this is done to allow the user to see all incoming SMS messages in the default app.

Edit: Found some more useful info on the Android Developers Blog. I'd test this further, but my only Android phone is currently WiFi-only, so no SMS :/

As things stand

  1. Android 4.3 and below without Hangouts app : Any app with SMS_RECEIVE permission can read/abort an incoming SMS (ala Whatsapp)
  2. Android 4.3 and below with Hangouts (SMS mode turned on) : Any app with SMS_RECEIVE permission can read but not abort an incoming SMS
  3. Android 4.4 and above : Any app with SMS_RECEIVE permission can read but not abort an incoming SMS

In all three cases, READ_SMS will give the app permission to read all the SMSs not just new incoming SMSs.

As onik mentioned things have change quite a bit in Android 4.4