The most dangerous app on your phone
The many ways that cybercriminals target your phone’s messaging app
If, like the founding team at Corrata, you’ve been working in the mobile space since the dawn of the smartphone age, you’ll fully appreciate that the most critical messaging channel on a mobile phone is not the email inbox but the messaging client. You’ll also understand that the messaging client has only whatever protection your carrier, Google, Apple, or Samsung choose to provide. And as a mobile security professional you’ll question whether relying on consumer-grade protections is an acceptable strategy when it comes to your organization’s data.
To answer this question it’s important to understand the evolving mobile messaging landscape. Many of you will have heard the announcement from Apple that they plan on enabling interoperability between iMessage and the RCS messaging standard increasingly found on Android devices. The RCS (Rich Communication Services) standard has supplanted SMS and MMS on many more recent Android devices. RCS, while offering a messaging experience more akin to WhatsApp than traditional mobile messaging, has not been without its issues. In 2022 RCS services were halted in India due to a deluge of spam. RCS spam has also recently spiked in the US. In the light of these changes it’s worth reviewing not just the evolution of mobile messaging but also how these changes are impacting it as a threat vector.
In the beginning
In the beginning there was only SMS. SMS is not an IP based messaging protocol. Instead it uses spare resources on the SS7 layer of the telecommunications network. The Short Messaging Service, to give it its full name, debuted in the early 1990s. Nokia’s implementation of the messaging client was particularly successful and contributed to explosive growth both for Nokia and for SMS. By the early 2000s people were sending billions of messages every year. Each New Year’s eve would bring new records in the number of greetings sent by text, threatening to tear down entire mobile networks in the process.
Initially SMS messaging was device to device. This limited its vulnerability to fraud: there was a physical limit on the number of messages which a mobile device could send. What’s more, per message charging meant that the economics of email spam didn’t apply to SMS. This gradually changed with the growth of application to person messaging (also known as wholesale or bulk messaging). A2P messaging was driven by ringtone distribution and voting on reality TV shows such as Big Brother and American Idol. Wholesale messaging was quickly recognised as a money spinner by mobile carriers who opened up their infrastructure to capture the new revenue streams. The decentralized nature of the mobile telecoms system (there are over 750 mobile carriers worldwide) has made it impossible to block spam and other malicious content. The reality is that there will never be an end to SMS based fraud at the network level.
Enter iMessage and RCS
There is nonetheless reason for hope as new IP based messaging systems developed or delivered by Google and Apple start to grab market share. iPhone users will be familiar with iMessage. Today iMessage only works between two Apple users. Apple users can also use iMessage to communicate with a business (Apple Messages for Business) but such communication must be initiated by the end users.
A newer Kid On The Block is Android’s RCS based messaging system. RCS is an operator developed standard which was designed as an evolution of SMS/MMS. It incorporates richer messaging features such as sending files, engaging in chats and responding with emojis. In other words, all of the features that we know and love from popular messaging applications such as WhatsApp.
Initially, RCS was completely unsuccessful due to a failure by carriers to launch the service. Now Google has taken the lead and has developed a successful RCS ecosystem. Using the Google messaging app, or in some cases the built in messaging app, you can send RCS messages to other Android users. Apple’s recent decision to support interoperability between iMessage and RCS is a game changer though it is unlikely that SMS will ever completely disappear (neither Google nor Apple have any plans to stop supporting it).
Security around the RCS/iMessage environment has a number of important elements. Earlier this year Google introduced end to end encryption for RCS messages sent between two Google messaging clients. Google also verifies senders and filters A2P messages sent via its wholesale RCS Business Messaging (RMB) service. These messages, are not end to end encrypted, allowing Google to examine content for signs of fraud or other mis-use. What’s more in contrast with SMS, with RCS there’s effectively a single gatekeeper on wholesale messaging. Messages for Business is Apple’s equivalent to RMB. Critically, from an anti-spam/anti-phishing perspective, Messages for Business only works where an end user initiates an interaction by, for example, directing a question to an online support chat service.
The other important element is the spam filtering performed by the messaging client. This attempts to filter out spam messages which arrive on the device. Google’s messaging client appears to be very effective in this area. iMessage on the other hand has much weaker capability. And the messaging clients provided by phone manufacturers (which are often the default option on Android) provide only very patchy filtering.
Looking to the future
This of course begs the question as to how malicious messages are still ending up on devices notwithstanding Google inspection of wholesale messages. We believe that cyber criminals are bypassing this control by sending messages directly from devices (or more likely dozens of phones racked). End to end encryption makes centralized scrutiny of these messages impossible. What’s more, because the messages are IP based they cost nothing to send and can be sent in large numbers even without a wholesale connection to the service. For these reasons alone we have to expect that message based fraud will remain a viable option for determined attackers targeting high value opportunities. The publication of pypush, an open source proof of concept library that enables any type of computer to send and receive end-to-end encrypted messages over the iMessage protocol, demonstrates that it will also remain relatively easy to push malicious content into the iMessage environment notwithstanding Apple’s efforts.
The widespread adoption of RCS and its interoperability with iMessage will, we believe, significantly reduce consumer focused messaging fraud. In particular, improved spam filters on messaging clients will reduce the incidence of messaging scams reaching the end user. Ironically this will make the messaging channel an even more attractive option for the kind of targeted phishing attack which we see being launched against high value targets. Ultimately we face a future where messaging spam becomes less prevalent but targeted phishing attacks over the mobile channel remain a serious concern.