When Google makes a recommendation or advice, it’s best to pay attention. While the Menlo Park company recently explained that we were abusing the magic functions of Google Photos, it published a post a few days ago on its security blog to Protect your Android devices from SMS fraud.
More precisely, it is about mobile connection to 2G or GSM networks. From this moment on, the doors would be open to receiving SMS messages containing phishing and spam. The key is that the antennas we connected to were not those of our trusted telecommunications company (the official infrastructure), but rather we would have established contact and communication with portable antennas that pretend to be them.
What are SMS Blaster
As Google itself details, this is the term used by operators to refer to small portable antenna stations that supplant the official network of the operators (they even fit in a backpack). Once they have established this fake network, they take care of bombarded with fraudulent SMS (smishing) to connected devices.
Google warns that its implementation is very simple: just place the equipment in an area with a high concentration of potential victims and emit a 4G/5G signal so that the terminals degrade the connection to 2G, to this fake 2G network that is controlled by an attacker. Why 2G?
Because it is a protocol that lacks two-way authentication, that is, it the network authenticates the client but not the other way around. From there and taking advantage of the fact that the connections are not encrypted, these SMS are injected.
A good part of the danger of SMS Blaster is that, as Google says, these devices are sold over the Internet and you don’t need much technical knowledge to operate them, as their setup is relatively simple and they are almost ready to go to impersonate a network operator. Similarly, it is possible configure and customize SMS payload, message fields and their metadataeven including the sender’s number. This way, it is possible to make the message look like an authentic SMS from the bank.
Another important fact: mobile devices They are vulnerable to this type of fraud if they support a 2G connectionregardless of the 2G status of your local operator.
How to protect your Android mobile
Fortunately, there are security features to significantly reduce this risk and even block it completely. The very veteran GSM or 2G has been compliant for over 30 years, although during this time different weaknesses have emerged in this technology. One of them allows mobile phones to connect to any network, thus allowing man-in-the-middle attacks in which attackers place equipment to capture communications and data exchanged on the network.
This is why Google has implemented the option of disable 2G on your mobile in 2022 with Android 12, something you can do from ‘Settings‘ > ‘Networks and internet‘ > ‘SIM cards‘ (on Google Pixel, the route may vary depending on the brand or model). So, your mobile ignores 2G networks except to make an emergency call to 112.
In order to bombard SMS, this fake network asks the mobile not to use encryption, but since Android 14 and for terminals that implement the HAL 2.0 radio or higher, Google has implemented the option of reject networks with null encryption or zero numbers.
Finally, among Google’s recommendations, there is the implementation of anti-spam protection to identify and block unwanted SMS messages, as well as the verified SMS function to better identify legitimate messages from companies (with a blue check mark).
Cover | Daniel Vega (Xiaomi World)
In Xataka Android | Your Android mobile security, in your hands: two tips to protect your unlock pattern
