If you search Google Play, the store for Android apps and other content, you will find plenty of apps that allow users to send spoof SMS messages which will appear to come from a different CLI to that of the user. But should Google sell these apps, and are they encouraging crime by doing so? That was the question recently brought to my attention by Wilfred Sonny Gomez Jr, who works in the IT & Product Security team at Maxis, the Malaysian operator.
These are examples of the functionality boasted by some of the apps available on Google Play:
XXXX is a cool app for sending International SMS messages on low rates. XXXX can easily spoof the SMS message sender’s number and if the receiver has the number stored in his phone book, the contact name will be the one that appears on his screen.
Send 100% Anonymous SMS Messages to ANY mobile number in the world! Set the Sender’s Name or Number to anything you want – pretend to be someone else.
XXXX has the ability to change your Caller ID while text messaging friends and family. It will Spoof the ID of any number you wish and be able to send text messages to any number using the ID you have Spoofed. XXXX makes it easy to fake a message. Be able to trick friends and enemies at any time with this super awesome app!
Though the apps are generally promoted as a way to play jokes on people, there is obviously a risk that individuals will use them for more sinister purposes. They could be used to swindle money from unsuspecting recipients; the spoof messages might entice them to dial an expensive PRS number. There is also the risk of bullying and other harassment. People can be nasty if they think they will not be caught. Another risk is that the spoof app user might send an unpleasant message that appears to come from the real number of an innocent person, in order to cast blame upon them.
It is good that Wilfred has identified this issue, but the makers of these apps will say they are offering a legitimate product. Making the argument against them will depend on evidence that the apps are misused in practice. That may not be so easy, not least because many of the apps receive plenty of negative reviews saying they do not work properly.
Though the apps may be legal, a privately-run market like Google Play also imposes its own conditions. I checked the Google Play Developer Policy, and found it lacked a criterion that could be used to ban apps like these. The most helpful section states:
Deceptive Behavior
We don’t allow apps that attempt to deceive users. Apps must provide accurate disclosure of their functionality and should perform as reasonably expected by the user. Apps must not attempt to mimic functionality or warnings from the operating system or other apps. Any changes to device settings must be made with the user’s knowledge and consent and be easily reversible by the user.
When Google refers to the user, they are thinking of the person who owns the phone and buys the app. But if it is necessary to protect the app users from deception, is there not a similar argument to protect other phone users from deception too? Phones are used for communication between people. Can Google really justify a moral stance which says the person who sends the message must know the truth, but the app can be designed to intentionally mislead the person on the receiving end?
I am grateful to Wilfred for highlighting the potential problem with spoofing apps. Now my worry is that there may be a serious problem but we will collectively fail to address it because everybody thinks the responsibility lies elsewhere. I would be happy to collate information which shows these apps pose a threat, and use it to put pressure on Google to update the policies for Google Play. But that depends on what information I receive. Or perhaps there is an organization already focused on this concern, and we should be supporting their existing efforts. If you think there is a danger, if you have relevant information, if you know of a campaign to ban spoofing apps, or if you know somebody who has been deceived, then I encourage you to share the experience. And if you are concerned about the risk, then please share this article with others, so they can lend their support.
This industry needs to work together if we want to deal with issues like this. If we do not tackle deception at its root, we will inevitably suffer later on.
Why do you single out Google, there are no spoofing apps on iOS?
I think there are several different cases:
1. You can have a legitimate app ( by legitimate I mean an app that uses controllable routes and that can provide access/logs to law enforcement if required during an investigation). That app may be mis-used/absued but in that case if the victim files a complaint there’s a chance there is data available.
2. You can have an illegitimate app that would usually route SMS traffic via some CSPs own signalling routes. In that case I can assume the app will not be around for long and it will be replaced by another and so on. IN this case, there will be next to 0 data available in case of a complaint.
There are different ways to do “spoofing” and it would be indeed a welcome change if there was some clarity on the checks done before these apps are available.
I single out Google only because I am a single human being, and so I lack the time and resources to thoroughly investigate every app market! If people care about this issue then it may merit further attention. If they do not care, then nothing is gained by investigating every app market before writing an article – I was interested to see if telco people care about this issue. And Google is pretty big, after all.
Do we really look at the source of the problem… or we often try solving the surface alone? The real problem is actually official stores legalizing applications that could lead to illegal or unlawful activities…. its like we don’t allow the use of guns but allow the sale of it….