29.4k unique visitors in the last 3 days

How to Detect SMS Blasters

SMS blasters operate outside legitimate mobile networks, but their activity can still be detected. This article explains how operators and regulators can identify false base stations by looking for radio, signalling and location anomalies.

SMS blasters are affecting a growing number of countries. Fraudsters drive around with cars, motorbikes, or even suitcases on the metro, and in those they have false base stations which blast SMS to phones in their vicinity. The fraudulent SMS try to phish information, contain malicious links and often impersonate well-known entities like banks or government agencies.

Those SMS blasters are not part of the local mobile operator network. SMS blasters—sometimes also called Stingrays or IMSI-catchers—impersonate legitimate cell towers and are not connected to the local mobile operator radio network, but that doesn’t mean that nothing can be detected. SMS blasters leave “disturbances” behind and those enable potential detection.

How an FBS-based SMS blaster operates: physical and digital process visualization

The detection techniques vary depending on where they are implemented. They can be deployed by Mobile Network Operators (MNOs), at the mobile device level, or by regulatory bodies. The operator association GSMA is also investigating the topic with its members. They have provided information on the detection of SMS blasters in their latest publications. We will analyse how to protect against SMS blasters in our next article and focus now on how to detect them.

Network-Side Detection (MNOs)

  • Radio Fingerprinting and Anomaly Detection: MNOs can use the radio environment data reported by devices (such as neighbouring cell identifiers and signal strengths) to fingerprint false base stations.
  • Unexpected Radio Access Types: Networks that have phased out older technologies can flag any 2G base station appearing in reports as a false base station. This can be detected when the device reports it is coming from a 2G network, but there is no 2G network in that country.
  • Broken Handover: In a legitimate network, the handover works as a seamless transition to maintain the session. However, with a false base station the handover from the legitimate network to the FBS fails or is abruptly cut off. This may happen, for example, because the connection took too long or there was an abrupt unexplained connection release.
  • Signalling Volume Analysis: Advanced signalling analytics can identify SMS blaster fraud by detecting sudden spikes in signalling volume or unauthorized network access points in a small geographic area. This can occur because devices reconnect after being attached to the SMS blaster.
  • Location-Based Traffic Analysis: Correlating the received-signal strengths from multiple neighbouring base stations can help identify SMS blasters.

Device-Level Detection (User Equipment)

  • Detection Apps: Mobile devices can download apps like FBSDetector, SnoopSnitch, or CellGuard. While those are useful on a personal level their reliability and effectiveness vary due to the restricted data received from the baseband chip. For example, they do not have the holistic technical ‘visibility’ required to see the attack and distinguish it from other normal technical issues. In combination with other indicators, they still provide a useful tool.
  • Machine Learning (ML) Models: Modern research uses ML frameworks (like FBSDetector) to analyse network traces and recognize attack signatures.
  • Behaviour Rule-Based Systems: Systems like “SMDFbs” (Specification-Based Misbehaviour Detection for False Base Stations) derive behaviour rules from normal base station operations and use a state machine to detect deviations in real-time.

Regulatory and National Detection

  • Honeypots and Drive Tests: Some authorities and even some operators deploy honeypots in densely populated areas like city centres and embassy areas, or conduct drive tests to find active SMS blasters.
  • National-Level Log Analysis: A false base station would not only affect one operator, but usually several operators that operate in a geographical area. Therefore, cooperation between national operators, combined with joint analysis of suspicious events, helps identify broader patterns of false station activity.

The detection measures presented here work best in combination. Countries that have not yet been affected by false base stations should investigate whether they have the capability to quickly ramp up detection. This includes availability of the right logs and software to process the information at least on a basic level.

For countries that already have some basic detection capabilities, an analysis should be made of whether the additional measures would provide further insights into the attackers’ behaviour. With SMS blasters, speed of detection is essential for successful law-enforcement action.

Sources

  1. Fake Base Station Detection and Link Routing Defense, MDPI / NSF Public Access Repository
  2. FBSDetector
  3. SMDFbs
  4. White-Stingray: Evaluating IMSI Catchers Detection Applications
  5. arXiv Research on ML-based Detection
  6. SolCyber: Scammers Abuse Mobile Interceptors
  7. Industry reports and news from Risky Business, HackerNoon and NCSC Switzerland. Linked articles are examples; there are more articles on this subject on the respective sites.
  8. Ericsson Blog: Detecting False Base Stations
Eleanor Holtmanns and Silke Holtmanns
Eleanor Holtmanns and Silke Holtmanns
Dr Silke Holtmanns (pictured right) is a distinguished expert in telecommunication security. She has worked as a security architect and researcher for Norlys, PwC, Enea, Bell Labs, Nokia and Ericsson as well as being an advisor to ENISA and the GSMA. Silke is the founder of Blue Hour Oy, a security consultancy.

Eleanor Holtmanns (pictured left) works as a Technical Consultant at Blue Hour Oy while studying Mathematical Sciences at the University of Oulu.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email