SMS is one of the preferred attack paths for malicious actors. Over time, the protocol has become increasingly secure, although attackers find ways to bypass some filters. So, Android natively integrates options and tools that will help you keep your device safe from text message fraud attempts.
In a new blog post, Google is alerting the public about one of the most common SMS attack methods today. They also mention the tools that Android integrates to prevent such attacks from being successful.
FBS attacks seek to exploit SMS protocol vulnerabilities
According to the blog post, many SMS attacks use False Base Stations (FBS). Also known as cell-site simulators or Stingrays, these are devices that simulate a carrier network that your device will try to connect to. Typically, these devices broadcast a 2G network, although sometimes it is camouflaged as 5G. Attackers need to downgrade your device’s network to 2G to exploit vulnerabilities in the SMS protocol that are not present in 4G or 5G networks.
If the attacker manages to lure your device into the 2G FBS network, a phishing injection (also known as an “SMS Blaster”) will begin. Phishing involves messages with malicious intent disguised as coming from real, trustworthy companies. Attackers with FBS have full control over the message and how it is displayed, so they can be very convincing. The fraudulent messages often contain links that redirect you to sites that seek to steal your data or get you to download malware-laden apps.
Those who resort to FBS-based attacks even carry these devices with them. They are compact in form and are freely sold online. Using FBS devices for SMS fraud attempts is much more lucrative than trying to phish through the networks of major carriers. Telecoms implement multiple layers of anti-phishing security at the network level. So, most malicious messages will never reach users. However, the FBS allows the attacker to bypass your carrier’s network entirely.
These Android features keep you safe from text message fraud
After explaining the context of the SMS Blaster attacks, Google mentioned Android options that will help you stay safe from text message fraud attempts. First, starting with Android 12, users can disable 2G searching at the modem level. This will render attack attempts via FBS completely useless as your phone will ignore 2G networks. Initially, the option was exclusive to Pixel phones, but now all Androids are supported.
Also, starting with Android 14, the OS can disable null ciphers. This is important because FBS-based attacks set a null cipher to initiate a phishing injection. This couple of features alone should keep you pretty safe, but there’s more. Android also integrates antispam protection at the OS level. So, if the potential FBS bypasses your carrier’s network protections, it will have to address Android’s security layer too.
Also, the OS also includes the Verified SMS system. This one lets you know if a message comes from a legitimate company via a blue check. Then, there’s Android’s Safe Browsing system that warns you about potentially dangerous links. Lastly, Google Play Protect scans your apps and warns you if any are potential sources of malware. All of these tools will help keep your Android safe from text message fraud attempts. Anyway, remember that common sense is another important layer of security, and that’s on your side.
