Rise of SMS-Based Mobile Fraud Through Smishing and OTP Interception
Criminals are increasingly abusing SMS as a fraud channel, using both network-level and device-level techniques to bypass traditional defenses and steal credentials, banking data, and one-time passcodes. One reported method uses SMS blasters—portable false base stations or cell-site simulators—to inject phishing texts directly into nearby phones without traversing carrier networks, allowing messages spoofing government agencies or banks to evade carrier spam filtering. Another technique targets Android devices through the LSPosed framework and the Digital Lutera module, enabling attackers to capture SMS verification tokens, impersonate phone numbers, insert fraudulent SMS records, and support real-time payment app account takeover and transaction approval.
The fraud ecosystem also includes large-scale smishing campaigns built around fake parcel delivery notifications, with Group-IB reporting sustained growth across the Middle East and Africa and postal brands most frequently abused. Those campaigns use urgent shipment-tracking lures to drive victims to counterfeit courier sites that harvest personal data, card details, banking credentials, and OTPs. Together, the reporting shows that mobile fraud is expanding through both social engineering and deeper technical abuse of telecom and mobile operating system trust models, exposing weaknesses in SMS-based authentication and message trust assumptions.
Timeline
Mar 18, 2026
Researchers report Android LSPosed attack enabling payment app takeovers
CloudSEK disclosed that attackers were abusing Android's LSPosed framework with a module called Digital Lutera to compromise mobile payment apps at the OS level. The module could intercept SMS verification tokens, collect 2FA codes, falsify SMS records, and support real-time fraudulent transaction approvals.
Dec 1, 2025
Egypt identified as top target in MEA shipment scam dataset
In data covering December 2025 through February 2026, Egypt was the most targeted country in the fake shipment-tracking campaign, while postal services were the most abused sector. The phishing pages were mobile-optimized and used WebSocket scripts to exfiltrate keystrokes in real time.
Jan 1, 2025
Fake shipment-tracking scam activity accelerates
Group-IB reported that the MEA fake shipment-tracking campaign intensified through 2025, indicating broader and more coordinated criminal activity. The infrastructure showed shared IPs, overlapping hosting, and traits linked to the Darcula phishing-as-a-service ecosystem.
Jan 1, 2025
SMS blaster smishing incidents expand globally
During 2025 and early 2026, SMS blaster attacks spread across multiple countries including the UK, Japan, Brazil, Indonesia, Thailand, Switzerland, the Philippines, Greece, and India. The technique used rogue base stations to force phones onto 2G and inject phishing texts outside normal carrier filtering.
Jan 1, 2024
Fake shipment-tracking smishing activity begins in MEA
Group-IB observed fake delivery SMS scams targeting users in the Middle East and Africa starting in early 2024. The messages lured victims to counterfeit courier sites designed to steal personal, banking, card, and one-time-password data.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Affected Products
Sources
Related Stories
SMS-Based Authentication and Phishing Risks via Intercepted or Mass-Sent Text Links
Recent research highlighted systemic security and privacy risks created by **sign-in/authentication links delivered over SMS**, showing how easily such links and embedded personal data can be exposed and abused at scale. By observing public SMS gateway services (temporary numbers used to receive texts), researchers collected **332,000 unique SMS-delivered URLs** extracted from **33 million texts** sent to **30,000+ phone numbers**, and reported that messages from **701 endpoints** on behalf of **177 services** exposed *critical PII*. The work underscores that SMS is unencrypted and that authentication links and sensitive details can persist in accessible stores or be captured through weakly protected SMS delivery ecosystems. Greek police separately dismantled a criminal operation in the Athens area that used a **rogue mobile base station** (an “**SMS blaster**”) concealed in a car to push phishing texts to nearby phones. Authorities said the device coerced phones to connect and **downgraded them from 4G to 2G**, enabling collection of identifiers (e.g., phone numbers) and delivery of scam messages impersonating banks and courier firms with **phishing links** used to steal payment card data and conduct unauthorized transactions; investigators have tied the group to at least three fraud cases and indicated the suspects may be Chinese nationals. Together, the reporting and research illustrate how SMS-delivered links can be exploited both through passive exposure of messages/URLs and through active, proximity-based telecom impersonation to distribute credential- and payment-theft lures.
1 months ago
Fake CAPTCHA SMS Fraud and SMS Blaster Smishing Target Mobile Users
Infoblox researchers reported a long-running **International Revenue Share Fraud (IRSF)** campaign that uses fake CAPTCHA pages to trick mobile users into sending premium-rate international text messages. Victims are funneled through typosquatted telecom-themed domains, ad-network redirects, and **Traffic Distribution System (TDS)** infrastructure to scam landing pages that present bogus verification steps. Those prompts trigger JavaScript that opens the phone’s SMS app with pre-filled messages and dozens of international numbers, and a single four-step interaction can generate about **60 SMS messages to more than 50 destinations**, costing roughly **$30 or more** per session. Researchers said the operation has been active since at least 2020, uses high-fee destinations including **Azerbaijan, Egypt, and Myanmar**, and has been linked to an affiliate of a European **Click2SMS** network using infrastructure hosted on **AS15699, Adam Ecotech**. Separately, Toronto police arrested three men in what authorities described as Canada’s first criminal case involving a mobile **SMS blaster**, a rogue device that impersonates a cellular tower to push phishing texts and disrupt legitimate service. Investigators said the devices were tracked across the Greater Toronto Area after one was detected in downtown Toronto, and police seized multiple SMS blasters and related equipment. Authorities believe **tens of thousands of phones** connected to the rogue system, contributing to more than **13 million network disruptions** that may have interfered with normal mobile access and even emergency services such as **911**. The cases highlight how attackers are abusing both web lures and fake base-station hardware to scale **smishing** and mobile billing fraud.
5 days ago
Android Mobile Malware Campaigns Targeting SMS/OTP and Identity Data
Multiple reports highlight evolving **Android** threats that abuse SMS/telephony access and advanced evasion to enable fraud, surveillance, and account takeover. CloudSEK described a shift from repackaged apps to **runtime manipulation** using the *LSPosed* framework, where a malicious module (e.g., **Digital Lutera**) hooks `SmsManager` and `TelephonyManager` to undermine India’s **UPI SIM-binding** controls. The technique can intercept registration tokens and 2FA, spoof device identity/phone number, and exfiltrate data to **Telegram**; it also uses **Socket.IO** for real-time C2 and can remotely inject fabricated SMS entries into the device’s “Sent” database to make bank backends believe a SIM is present on a different device, enabling scalable payment fraud and account takeover. Separately, Acronis TRU (reported by Hackread) identified a **fake Red Alert** rocket-warning app distributed via SMS lures impersonating Israel’s Home Front Command; the trojanized app displays legitimate alerts to reduce suspicion while requesting extensive permissions to steal **GPS location**, **SMS/OTP**, contacts, installed-app inventory, and on-device account details, then exfiltrates data to a remote server, including via **certificate spoofing** and UI tricks to appear Play Store-installed. Zimperium reported a new Android RAT, **SurxRAT**, that can download and run **LLM modules** from third-party repositories to automate phishing and social engineering and to interact with apps/UI for credential theft and data exfiltration, reinforcing the need for behavior-based mobile detection, tighter app controls, and stronger integrity enforcement (e.g., *Play Integrity API* with `MEETS_STRONG_INTEGRITY`) where applicable.
1 months ago