How scammers abuse mobile phone interceptors, and what you can do

Fake base stations revisited

Remember Stingrays?

In the context of mobile phones, Stingray was the brand name of a mobile phone monitoring device known more generally as an IMSI catcher or a cell-site simulator.

IMSI, short for international mobile subscriber identity, uniquely identifies the specific subscriber using a phone, so “catching” IMSIs as they are used allows for precise and continuous tracking of users, for example by law enforcement.

However, for privacy and security reasons, IMSIs aren’t broadcast all the time, in the way that Bluetooth or Wi-Fi hardware addresses are, but are only sent over the mobile network occasionally, for example when a phone is turned on and first connects to a mobile phone mast or base station in a part of the network where it hasn’t been seen before.

IMSI catchers, therefore, are portable mobile base stations, initially sold to and used by law enforcement to act as “lures” to trick nearby phones into connecting to them instead of the transmitters operated by the mobile network providers themselves.

When tailing suspects, an IMSI catcher close to the suspects’ vehicle would probably be detected by the phones in the vehicle as the strongest and most reliable route onto the mobile network, thus giving the law enforcement team operating the IMSI catcher a chance to run what’s known as a MitM, or a manipulator in the middle attack.

An IMSI catcher can not only keep track of the exact phones and users who connect to it, but also manipulate their connections, for example by pretending to be an old-style brand of base station, such as a 2G device, thereby tricking the phones that have been lured to it into falling back to older, less secure mobile phone protocols.

Phone users can then not only be tracked, but also unknowingly drawn into using old encryption algorithms that can easily be cracked (sometimes even including what’s rather redundantly known as a “null cipher,” which is effectively a layer of encryption that doesn’t scramble its input at all).

As you can imagine, as the popularity of IMSI catchers with law enforcement grew, so did the privacy backlash from organizations such as the Electronic Freedom Foundation (EFF), who began publishing advisories about their use and risk.

The tables have turned

Well, in recent years, the tables have turned, in more ways than one.

Instead of being specialized, high-priced devices marketed and sold to law enforcement for tracking and surveillance purposes, this technology is now available for purchase online by anyone, with prices starting as low as $3000.

And although IMSI catching is still one of the “features” that these devices can perform, they have now been rebranded by their sellers as SMS blasters, with the primary function of spewing rogue messages to your phone (and the phones of everyone else in the vicinity), rather than listening in to messages coming from your phone.

Indeed, SMS blasters are generally designed not to work not as MiTM devices, sitting in between you and the real mobile network, but to sidestep the mobile network entirely.

SMS blasters lure your phone into accepting text messages (SMSes) that appear to come from a legitimate subscriber on the network, but that in fact never went through the network at all.

For a low, low, one-off price of $3500, for example, one company that operates and advertises quite openly on the non-dark web, is selling a standalone, battery-powered SMS blaster that:

• Doesn’t require any SIM cards or mobile network identity of its own. This means that there are no subscription charges to operate it, and no way for legitimate mobile networks to restrict its access or shut down its connectivity.
• Doesn’t send any data through the mobile network. This bypasses any rate limiting protections and spam filters that the network would normally impose, allowing any message text to be sent to anyone, accompanied by any URL aimed at luring victims to a phishing site.
• Doesn’t use the mobile network for encryption or authentication. By controlling the connection directly to and from your phone, the device can control the name or phone number that shows up as the sender of the message, thus masquerading as your bank, your healthcare provider, the government tax office, or law enforcement. Message blocking tools that identify scammy or unknown senders don’t work if the sender looks legitimate.
• Doesn’t need to know any mobile numbers to send to. Instead of relying on the mobile network to locate individual subscribers and message them one-to-one, the device blasts the chosen message to phones within current radio range, typically at least 500 meters but possibly much more.

In case you’re wondering, the company above also sells rechargeable battery packs suitable for operating their device from the back of a car, provides IMSI catching as an “auxiliary feature” just in case their customers want to use it, and has a mobile app that can control multiple devices remotely via Wi-Fi, for example as other members of gang drive the devices through busy parts of town.

There’s even an iPad version of their mobile app, with all-5-star reviews, happily hosted as a free download on Apple’s App Store.

The app lets scammers control multiple devices at the same time, and will use GPS to detect “geofenced” areas in which rogue messages should not be sent, for example if the criminals suspect that an area is under radio counter-surveillance by law enforcement.

Blasters in real life

SMS blasters have featured in the news several times in recent months, with police busting rogue operators in several major cities.

This week, in fact, a Chinese student was jailed in London for operating an SMS-based phishing scam earlier this year:

Between 22 and 27 March 2025 Ruichen Xiong, a student from China had installed an SMS Blaster in his vehicle to commit smishing fraud, targeting tens of thousands of potential victims.

Xiong drove around the Greater London area in a Black Honda CR-V. This vehicle was used to hold and transport an SMS Blaster around in the boot. […]

The equipment was programmed to send out SMS messages to victims within a nearby radius of the blaster, designed to look like trustworthy messages from genuine organizations, such as government bodies, where the victim was encouraged to click a link. The link would subsequently take them to a malicious site that was designed to harvest their personal details.

What to do?

• Never trust the caller’s or sender’s name or number that your phone displays. For both text messages (SMSes) and phone calls, the sender’s information may be fake, in just the same way that the From: and Subject: lines in an email can be set to anything the sender wants in order to lure you into a false sense of security.
• Turn off old-school 2G support on your phone if you can. Even if no 2G networks still operate in your country, your phone may still support and accept 2G connections, which IMSI catchers and SMS blasters exploit to downgrade security and bypass modern protections on your connection. (See advice below on ways to do this.)
• Avoid using contact details provided by the sender of a message. Legitimate business such as home delivery companies usually provide short URLs in text messages for convenience, which softens us up to click links from other senders, too. Consider looking up the URLs and phone numbers for popular services now, and keep (or bookmark) a trustworthy list of your own so you don’t fall into the habit of clicking on hard-to-verify links in emails and SMSes.
• Add an extra layer of security to your mobile devices, which are typically protected only by basic MDM (mobile device management) tools. Signing up for SolCyber Mobile Protection brings your mobile threat response to a new level, including blocking phishing attempts and messaging scams that specifically target phone users.
• Aim for prevention, because it’s better than cure. Sign up with SolCyber for proactive threat detection and prevention so you don’t have to build a 24/7 SOC of your own.

BLOCKING 2G PROTOCOLS ON ANDROID

Some Android versions on some devices have an Allow 2G option that can be toggled on or off.

Go to Settings > Network and Internet > SIMs.

For each SIM card (or eSIM) installed, you will be able to tap through to configure connection settings for that provider. Look for the Allow 2G option (or similar) and turn 2G off.

BLOCKING 2G PROTOCOLS ON IPHONE

According to Apple, locking out access to insecure 2G connections can only be done via Settings > Privacy & Security > Lockdown Mode, where you can choose Turn On Lockdown Mode.

Note that this mode enforces a number of other strict security settings as well as preventing old-style mobile connections, because it’s aimed mainly at users who are worried about being under active, unauthorized surveillance (such as getting infected by targeted surveillance malware).

Notably, you can’t connect your phone to your laptop via USB cable while Lockdown Mode is turned on, and many websites will appear with useful features suppressed, such as viewing images or watching videos.

Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Featured image of crocodile by Fernando Jorge via Unsplash.