Google warns smartphone users that “text-based scams are evolving into a sophisticated, global enterprise designed to inflict devastating financial losses and emotional distress on unsuspecting victims.” But millions of users are still being caught by these attacks. And there’s one setting Google says you must disable on your phone.
A few weeks ago, Google issued its most thorough report yet into “text-based scams” targeting Android users. Almost all users “report receiving scam text messages,” it says, and “only 4% of victims recover the money” stolen through these attacks.
Text-based scams are executed on an industrial scale. Often originating with organized criminal gangs in China, attackers use banks of smartphones with consumer SIMs and revolving domain names in their campaigns. It’s a numbers game, pure and simple.
But there are also more localized attacks, exploiting a major security vulnerability with the smartphone you’re carrying in your pocket or bag. Sometimes attackers don’t even need to know your cellphone number to target you. They do it when you come physically close to them, attacking you over the air without you ever realizing.
These so-called SMS blaster attacks trick phones into switching from legitimate 4G/5G networks, which are well encrypted, to a local fake cell tower they carry with them. This uses older 2G technology and is completely unsecured. Once your phone connects, they hit you with texts that pretend to be your bank or a major retailer or a public body.
The latest report into SMS blasting comes from Europe, where police in Greece have just arrested and charged criminals “with forgery of documents, fraud, and repeated illegal access to information systems as part of an organized criminal group.”
The attacks earlier this month followed the discovery of a “portable computer setup connected to a (car) roof-mounted ‘shark fin’ antenna — designed to mimic legitimate cell towers — along with five mobile phones.”
Green media reports that the individuals “used the vehicle-mounted system to create fake mobile base stations, employing the ‘SMS Blaster Attacks’ technique. This forced nearby smartphones to downgrade from 4G/5G to the less secure 2G network, exploiting known vulnerabilities to capture subscriber identification data (such as phone numbers) without user knowledge.”
The attackers then “sent mass phishing SMS messages impersonating trusted sources like banks or courier services. These texts contained malicious links that tricked victims into entering bank card details, passwords, and other personal information.”
We have seen similar attacks in the U.S., Europe and elsewhere. It’s a growing threat.
Google has found increasing evidence of “the exploitation of weaknesses in cellular communication standards leveraging cell-site simulators to inject SMS phishing messages directly into smartphones. This method to inject messages entirely bypasses the carrier network,” and all “network-based anti-spam and anti-fraud filters.”
Google says “Android 12 introduced a user option to disable 2G at the modem level, a feature first adopted by Pixel. This option, if used, completely mitigates the risk from SMS Blasters.” You can do that within most Android phone settings, or by enabling Google’s new Advanced Protection mode that was released with Android 16.
You should do that now.
