Cell-site simulators, also known as False Base Stations (FBS) or Stingrays, are radio devices that mimic real cell sites in order to trick mobile devices into connecting to them. These devices are often used for security and privacy attacks, such as surveillance and interception of communications. In recent years, carriers have begun reporting new types of abuse involving FBSs for financial fraud.

In particular, there is growing evidence of the exploitation of weaknesses in mobile communications standards, using mobile site simulators to inject SMS phishing messages directly into smartphones. This method of injecting messages completely bypasses the carrier’s network, thereby bypassing all advanced network-based anti-spam and anti-fraud filters. Cases of this new type of fraud, which carriers are calling SMS Blaster fraud, have been reported in Vietnam, France, Norway, Thailand, and several other countries.

The GSMA Fraud and Security Group (FASG) has developed a briefing paper for GSMA members to raise awareness of SMS Blaster fraud and provide guidance and mitigation recommendations to carriers, OEMs and other stakeholders. The briefing paper, available only to GSMA members, highlights several Android-specific recommendations and features that can effectively protect our users from this new type of fraud.

What are SMS Blasters?

SMS Blaster is the term used by global carriers to refer to FBS and cell-site simulators that are used illegitimately for the purpose of distributing (blasting) SMS payloads. The most common use case is to use these devices to inject Smishing (SMS phishing) payloads into user devices. Fraudsters typically do this by driving around with portable FBS devices, and there have even been reports of fraudsters carrying these devices in their backpacks.

The method is simple and replicates well-known techniques to trick mobile devices into an attacker-controlled 2G network. SMS Blasters expose a fake LTE or 5G network that performs one function: downgrade the user’s connection to an outdated 2G protocol. The same device also exposes a fake 2G network, tricking all devices into connecting to it. At this point, attackers abuse the well-known lack of mutual authentication in 2G and force connections to be unencrypted, allowing a full Person-in-the-Middle (PitM) position to inject SMS payloads.

SMS Blasters are sold on the Internet and do not require any deep technical expertise. They are easy to set up and ready to use, and users can easily configure them to impersonate a specific carrier or network using a mobile app. Users can also easily configure and customize the SMS payload and its metadata, including, for example, the sender number.

SMS Blasters are very attractive to fraudsters because of their high return on investment. Spreading SMS phishing messages often yields little return because it is very difficult for these messages to fly undetected by sophisticated anti-spam filters. A very small subset of messages ultimately reach a victim. In contrast, injecting messages with an SMS blaster completely bypasses the carrier’s network and its anti-fraud and anti-spam filters, guaranteeing that all messages reach a victim. Furthermore, using an FBS, the fraudster can control all the fields of the message. The message can be made to appear as if it came from a legitimate SMS aggregator, such as a bank. In a recent attack that affected hundreds of thousands of devices, the messages masqueraded as messages from a health insurance company.

While the type of abuse recently exposed by carriers is financial fraud, there is precedent for using rogue mobile base stations to spread malware, for example by injecting phishing messages with a URL to download the payload. It is important to note that users are still vulnerable to this type of fraud as long as mobile devices support 2G, regardless of the status of 2G with their local carrier.

Android protects users from phishing and fraud

There are a number of security features available only on Android that can significantly reduce the impact of this type of fraud, or in some cases even block it completely.

Android 12 introduced a user option to disable 2G at the modem level, a feature first adopted by the Pixel. This option, if used, completely mitigates the risk of SMS Blasters. This feature has been available since Android 12 and requires devices to be compliant with Radio HAL 1.6+.

Android also has an option to disable null ciphers as key protection, since it is strictly necessary for the 2G FBS to configure a null cipher (e.g. A5/0) to inject an SMS payload. This security feature that was launched with Android 14 requires devices that implement radio HAL 2.0 or later.

Android also offers effective protection that specifically targets SMS spam and phishing, regardless of whether the delivery channel is an SMS Blaster. Android has built-in spam protection that helps identify and block spam SMS messages. Additional protection is provided through RCS for Business, a feature that helps users identify legitimate SMS messages from businesses. RCS for Business messages are marked with a blue check mark, indicating that the message has been verified by Google.

We recommend using some of Google’s core security features available on Android, namely Safe Browsing and Google Play Protect. As an added layer of protection, Safe Browsing, built into Android devices, covers 5 billion devices worldwide and helps warn users about potentially risky sites, downloads, and extensions that could be phishing and malware-based.

Suppose a user decides to download an app from the Play Store, but the app contains code that is malicious or harmful. Users are protected by Google Play Protect, a security feature that scans apps for malware and other threats. It also warns users about potentially harmful apps before they are installed.

Android’s Commitment to Security and Privacy

Android strives to provide users with a safe and secure mobile experience. We are constantly working to improve our security features and protect users from phishing, fraud, and other threats.

Collaborating with global carriers and other OEMs through the GSMA to support the ecosystem in the development and adoption of further mobile security and privacy features is a priority area for Android. We look forward to working with ecosystem partners to further raise the security bar in this space to protect mobile users from threats such as SMS blasters.

Thank you to all our colleagues who are actively contributing to Android’s efforts to combat fraud and FBS threats. Special thanks to the contributors to this blog post: Yomna Nasser, Gil Cukierman, Il-Sung Lee, Eugene Liderman, and Siddarth Pandit.