SMS is one of the preferred attack vectors for malicious actors. Over time, its security has improved, but attackers continue to seek ways around filters. Android natively integrates various options and tools to protect devices from SMS fraud attempts.
In a recent blog post, Google issued a warning about one of the most common SMS attack methods today. They also highlighted Android’s integrated tools to block such attacks.
According to the blog, many SMS attacks use False Base Stations (FBS), also known as Stingrays or cellular base station simulators. These devices simulate carrier networks to lure devices into connecting. They typically broadcast on 2G networks, sometimes masquerading as 5G. Attackers force devices onto 2G to exploit SMS protocol vulnerabilities absent in 4G or 5G networks.
Once a device connects to a 2G FBS network, attackers can execute SMS phishing attacks (also known as “SMS Blasting”). These involve sending malicious texts disguised as legitimate messages from trusted companies. With control over SMS content and display, attackers can deceive users with fraudulent messages containing links to data-stealing websites or malware downloads.
Google explained Android features to mitigate SMS Blaster attacks. Starting from Android 12, users can disable 2G searching at the modem level, rendering FBS attacks ineffective. Initially available for Pixel phones, this option now supports all Android devices.
Additionally, Android 14 introduces the ability to disable blank passwords, crucial for preventing phishing injections in FBS attacks. These features, along with OS-level anti-spam protections, enhance security against SMS fraud even if FBS bypasses carrier defenses.
Furthermore, Android includes Verified SMS to mark messages from legitimate companies with a blue checkmark, providing additional assurance against fraudulent SMS.
Related:
Disclaimer:
- This channel does not make any representations or warranties regarding the availability, accuracy, timeliness, effectiveness, or completeness of any information posted. It hereby disclaims any liability or consequences arising from the use of the information.
- This channel is non-commercial and non-profit. The re-posted content does not signify endorsement of its views or responsibility for its authenticity. It does not intend to constitute any other guidance. This channel is not liable for any inaccuracies or errors in the re-posted or published information, directly or indirectly.
- Some data, materials, text, images, etc., used in this channel are sourced from the internet, and all reposts are duly credited to their sources. If you discover any work that infringes on your intellectual property rights or personal legal interests, please contact us, and we will promptly modify or remove it.
