Securing your Android device against fraudulent text messages

Cell-site simulators, also recognized as False Base Stations (FBS) or Stingrays, are wireless devices that imitate authentic cell sites to attract mobile devices to connect with them. These gadgets are frequently employed for security and privacy breaches, such as surveillance and interception of communications. Lately, carriers have begun to report new forms of misuse carried out with FBSs for financial fraud purposes.

There is an escalating amount of proof concerning the exploitation of vulnerabilities in cellular communication standards by utilizing cell-site simulators to insert SMS phishing messages directly into smartphones. This technique for message injection completely avoids the carrier network, thereby circumventing all advanced network-based anti-spam and anti-fraud filters. Incidences of this novel fraud, identified as SMS Blaster fraud by carriers, have been recorded in various countries including Vietnam, France, Norway, and Thailand.

The Fraud and Security Group of GSMA (FASG) has formulated a briefing document for GSMA members to promote awareness of SMS Blaster fraud and deliver suggestions and strategies for mitigation to carriers, OEMs, and other stakeholders. The briefing paper, accessible solely to GSMA members, highlights some Android-specific suggestions and functionalities that can effectively safeguard our users from this novel form of fraud.

Understanding SMS Blasters

SMS Blaster is the term used by global operators to describe FBS and cell-site simulators illicitly operating with the intention of disseminating (blasting) SMS payloads. The predominant use case is to employ these tools for inserting Smishing (SMS phishing) payloads into user devices. Cybercriminals typically execute this operation by traveling with portable FBS equipment, and there have been instances of offenders carrying these devices in backpacks.

The procedure is direct and emulates known methods to deceive mobile devices into connecting to an attacker-operated 2G network. SMS Blasters reveal a counterfeit LTE or 5G network that serves a single function: downgrading the user’s connection to an outdated 2G protocol. Simultaneously, the same equipment unveils a false 2G network, enticing all devices to link with it. Subsequently, malefactors exploit the recognized absence of mutual authentication in 2G, compelling connections to remain unencrypted, allowing for a complete Person-in-the-Middle (PitM) stance to inject SMS payloads.

SMS Blasters are purchasable online and do not necessitate extensive technical prowess. They are simple to set up, operational upon purchase, and users can conveniently tailor them to imitate a specific carrier or network using a mobile application. Users can also effortlessly adjust and personalize the SMS payload along with its metadata, such as the sender’s number.

SMS Blasters are highly alluring to fraudsters due to their exceptional return on investment. Distributing SMS phishing messages usually yields a minimal return as it is arduous to deliver these messages without being detected by sophisticated anti-spam filters. Only a minute percentage of messages manage to reach a target. Conversely, by injecting messages with an SMS blaster, bypassing the carrier network and its anti-fraud and anti-spam filters, it ensures that all messages land at a target. Furthermore, utilizing an FBS, the malefactor can regulate all aspects of the message. It is feasible to fabricate the message’s origin to appear as if it is dispatched from a bank’s bona fide SMS aggregator, for instance. In a recent incident that impacted hundreds of thousands of devices, the messages were camouflaged as health insurance announcements.

While the current abuses uncovered by carriers are associated with financial fraud, there is a historical pattern of exploiting rogue cellular base stations for disseminating malware, such as inserting phishing messages with a URL to download the payload. It is crucial to recognize that users remain susceptible to this type of fraud as long as mobile devices support 2G, regardless of the 2G’s regulatory status in their local carrier.

Android fortifies users against phishing and fraud

Several Android-exclusive security features can significantly alleviate, or in certain cases, entirely thwart the impact of this fraud scheme.

An option was introduced in Android 12 to deactivate 2G at the modem level, a functionality that was initially embraced by Pixel. By utilizing this option, the risk from SMS Blasters can be entirely neutralized. This feature has been accessible since Android 12 and mandates devices to comply with Radio HAL 1.6+.

Android additionally features an option to deactivate null ciphers as a critical safeguard since it is imperative for the 2G FBS to arrange a null cipher (e.g.,A5/0) with the purpose of inserting an SMS payload. This security aspect introduced in Android 14 mandates devices to have radio HAL 2.0 or higher.

Moreover, Android offers robust defenses tailored to combat SMS spam and phishing, regardless of the transmission method used, such as SMS Blaster. Android features in-built spam protection to detect and obstruct spam SMS messages. Enhanced security is further provided through RCS for Business, which aids users in distinguishing genuine SMS messages from businesses. RCS for Business messages are distinguished by a blue checkmark denoting verification by Google.

We recommend utilizing key Google security attributes available on Android, including Safe Browsing and Google Play Protect. As an added safeguard, Safe Browsing integrated within Android devices secures 5 billion devices globally and alerts users regarding potentially harmful sites, downloads, and extensions that might be linked to phishing or malware.

Consider a scenario where a user opts to download an app from the Play store but the app contains malicious or damaging code, users are shielded by Google Play Protect. This security feature scans apps for malware and other risks while notifying users about potentially unsafe apps prior to installation.

Android’s firm commitment to security and privacy

Android’s dedication lies in furnishing users with a safe and protected mobile experience. Our continuous endeavors revolve around enhancing security protocols to shield users from phishing, scams, and various threats.

A pivotal area for Android is collaborating with global carriers and other OEMs through GSMA to bolster the ecosystem by developing and adopting additional security and privacy features in cellular technology. We eagerly anticipate partnering with ecosystem collaborators to elevate security measures and defend mobile users against menaces like SMS blasters.

Gratitude is extended to all our colleagues actively contributing to Android’s anti-fraud and anti-FBS initiatives, with special acknowledgments to the individuals who contributed to this blog post: Yomna Nasser, Gil Cukierman, Il-Sung Lee, Eugene Liderman, Siddarth Pandit.