SMS blasters are portable devices that mimic cell towers and inject phishing texts directly into nearby phones. They have now become a global smishing (SMS phishing) weapon in under two years. They bypass every carrier-level spam filter because the messages never touch the carrier network. This article examines how these devices work, why 2G is the critical vulnerability, the global explosion of incidents in 2025, and what the industry needs to do about a threat that current defenses were never designed to handle.
In March 2025, a Chinese student named Ruichen Xiong drove a black Honda CR-V through Greater London for five days. In the trunk there’s a suitcase-sized device with antennas that acted like a cell tower. So, every smartphone within roughly one kilometer connected onto it automatically, mistaking it for the strongest nearby cell tower. Once connected, the device injected fake text (sms) messages appearing to come from Gov.uk, HM Revenue and Customs (HMRC), and major banks directly into victims' phones messaging inbox.
Several thousand people received these messages.
When the police officers sent to arrest Xiong arrived, they too received a phishing message claiming to be from HMRC, offering a tax refund. Those messages came from the device in the trunk of the car they were about to pull over.
Xiong was sentenced to more than a year in prison. The device he used is known as an SMS blaster, and by 2026, it had become one of the fastest-growing SMS fraud delivery mechanisms worldwide.
What is an SMS Blaster?
An SMS blaster is a variation of what security researchers call a cell-site simulator, false base station, or IMSI catcher. The technology itself is not new. Law-enforcement agencies have used similar devices, such as Stingray, for years to locate suspects or intercept communications. But the criminal use case is different. Instead of passive surveillance, SMS blasters actively push fraudulent messages to every phone within range.
Here is how it works: The Attack Chain
The attack works by exploiting a fundamental behavior in how mobile phones connect to networks:
- The blaster broadcasts a fake 4G or 5G signal, appearing to be a legitimate cell tower
- Nearby phones automatically connect to the strongest signal
- The device forces the phone to downgrade to the legacy 2G protocol
- Because 2G lacks mutual authentication, the phone cannot verify the tower's identity
- The attacker injects SMS messages spoofing any sender identity.
Cathal McDaid, VP of Technology at telecom security firm Enea, described the speed of this: the entire chain — 4G capture, downgrade to 2G, SMS injection, and release can take less than ten seconds. The victim's phone reconnects to the legitimate network immediately afterward, and the person may never notice anything happened (
The range is significant. According to the Swiss National Cybersecurity Centre, an SMS blaster can reach phones within up to 1,000 meters. Thai police reported in 2024 that one device sent nearly one million messages during a brief period of operation, at a rate of 100,000 texts per hour.
Why Carrier Defenses Don't Apply
In my work on messaging security systems, I have dealt with many forms of SMS abuse — person-to-person spam, bulk phishing campaigns sent through application messaging channels, fake sender IDs routed through carrier infrastructure. But SMS blasters represent something categorically different: an attack that operates entirely outside that infrastructure.
Every filter, every machine learning model, every sender reputation database that carriers have built over the past decade is irrelevant because the message never passes through the network. Anton Reynaldo Bonifacio, Chief Information Security Officer at Globe Telecom in the Philippines, described it plainly: none of their security controls apply to messages phones receive from SMS blasters (
This is not a gap that can be patched with a software update. It is a structural limitation — the defenses were built for a different attack surface.
2025: The Year SMS Blasters Went Global
SMS blasters had appeared sporadically in Southeast Asia for years, often deployed for guerrilla marketing at concerts, malls, and political rallies. What changed in 2025 was the scale, geographic spread, and criminal sophistication.
Commsrisk, a trade publication for the telecom sector, maintains a Global Fraud Dashboard tracking SMS blaster incidents worldwide.
By late 2025, they noted that the rate of incidents was accelerating so quickly that publishing individual articles about each country would leave no time to cover anything else.
Here is a partial timeline of documented incidents:
March 2025 — London, UK: Ruichen Xiong sentenced for driving an SMS blaster through Greater London for five days, targeting tens of thousands of phones with fake HMRC and banking messages.
May 2025 — Japan: The Ministry of Internal Affairs and Communications issued a public alert about rising smishing via fake base stations after a researcher discovered SMS blasters being driven through Tokyo and Osaka.
May 2025 — Brazil: Authorities in São Paulo dismantled an SMS blaster gang after a local telco reported interference with its cellular signal.
June 2025 — Indonesia: Authorities arrested a man blasting SMS phishing texts across Jakarta.
August 2025 — Bangkok, Thailand: Police trailing a white Suzuki began receiving fake bank alerts on their own phones. Inside the car, they found a false base station, router, power unit, and a shark-fin antenna on the roof. Two men, aged 23 and 25, had been hired by a Chinese operator for approximately $100 per day.
October 2025 — Muttenz, Switzerland: Police arrested a 52-year-old Chinese national driving an SMS blaster sending fake messages impersonating UBS bank, the Swiss Post Office, and Migros supermarket.
Late 2025 — Philippines: The Bank of the Philippine Islands reported that approximately 80% of online banking fraud cases were now connected to smishing messages sent by fake base stations — a dramatic increase from very few such cases during 2024.
January 2026 — Sparta, Greece: Police arrested two foreign nationals after discovering a vehicle-mounted SMS blaster with a roof-mounted "shark fin" antenna. The device forced nearby phones to downgrade to 2G and sent phishing SMS impersonating Greek banks.
January 2026 — Cyberabad, India: Police arrested 25 people tied to foreign scam networks using SMS blasters in crowded public areas. Indian government data shows telecom-related cyber fraud increased approximately 300% between 2024 and 2025, with losses exceeding ₹30,000 crore (roughly $3.5 billion USD) in 2025 alone.
February 2026 — London, UK : Further arrests and convictions were reported as the Metropolitan Police expanded its investigation into organized SMS blasting networks.
What makes this timeline alarming is the speed of geographic diffusion. In 2023 and early 2024, SMS blaster fraud was concentrated in a few Southeast Asian countries. By the end of 2025, it had spread to every inhabited continent.
The Waterbed Effect: Why Better Filters Made Things Worse
To understand why this threat is so difficult to address, you need to understand how carrier anti-fraud infrastructure actually works — and where its limits are.
Over the past decade, carriers have invested heavily in anti-spam systems. Modern networks filter SMS messages using sender reputation scoring, machine learning models trained on known spam patterns, URL blacklists, and real-time traffic analysis. These systems are genuinely effective. Virgin Media O2 in the UK, for example, reported blocking more than 600 million scam texts in 2025 alone.
But here is the problem: all of these protections operate within the carrier network. They analyze messages as those messages traverse the infrastructure between sender and recipient. An SMS blaster never enters this infrastructure. The message goes directly from the attacker's device to the victim's phone over the radio layer — the lowest level of the cellular stack, below where any carrier security operates.
This created a dynamic that security researchers sometimes call the waterbed effect: press down on one attack vector, and the pressure surfaces somewhere else. In the Philippines, as carriers improved their anti-fraud filters and blocked SMS messages containing URLs, criminals migrated specifically to SMS blasters because they bypass those filters. The better carriers get at filtering network-level spam, the more attractive SMS blasters become as an alternative delivery mechanism.
Globe Telecom took the extraordinary step of voluntarily removing all hyperlinks from its own customer SMS messages — a defensive posture based on the reality that their network-level controls simply do not apply to messages delivered by SMS blasters. The reasoning was pragmatic: if Globe never sends links, then any SMS claiming to be from Globe that contains a link is automatically suspicious, regardless of how convincingly it spoofs the sender ID.
It is a telling response. A major carrier was forced to change its own communications behavior because an attacker had found a way to route entirely around its defenses.
A Parallel Attack Vector: Cellular Routers
While SMS blasters are a physical, street-level attack, 2025 also saw the emergence of a complementary technique that achieves a similar result remotely — without any hardware in a car trunk.
In July 2025, French security firm Sekoia discovered that attackers were exploiting the SMS APIs of Milesight Industrial Cellular Routers — devices commonly used in remote industrial settings for connectivity and monitoring. These routers include a feature allowing administrators to send and receive SMS alerts. Attackers discovered that many of these APIs were exposed on the public internet without authentication.
The scale was significant: over 19,000 Milesight routers were publicly accessible, at least 572 with their SMS APIs completely exposed. In May 2025, attackers used this technique to transmit identical phishing messages to more than 42,000 Swedish phone numbers and 31,000 Italian phone numbers in a single campaign, impersonating government services, banks, and postal services. Evidence suggests the technique had been used since at least February 2022.
Like SMS blasters, these messages bypass carrier-level filters — not because they go around the network, but because they enter it from an unexpected angle. The router sends the message as a device SMS, which is indistinguishable from a regular person-to-person text from the carrier's perspective.
The underlying principle connecting both attacks is the same: SMS messages can be injected at layers below where carrier security operates, whether that injection point is a device in a car a kilometer away or an industrial router sitting unsecured on the open internet.
Why 2G Is the Critical Vulnerability
Every SMS blaster attack depends on one thing: forcing the target phone to downgrade to 2G. This is not incidental — it is a structural necessity of the attack.
The 2G standard (GSM), designed in the late 1980s, lacks mutual authentication. When a phone connects to a 2G tower, the tower can verify the phone's identity, but the phone has no way to verify the tower's. A fake tower broadcasting a 2G signal is indistinguishable from a real one. Additionally, 2G connections can be configured with null encryption (cipher A5/0), allowing an attacker to read and inject messages in plaintext.
3G, 4G, and 5G all include mutual authentication — both the phone and the tower must prove their identity to each other. This is why SMS blasters first lure phones with a fake 4G signal and then force a downgrade: the attack cannot work on modern protocols.
The protections available today, by platform:
Android 12 (2021): Introduced a user toggle to disable 2G connectivity at the modem level. Pixel phones were first to implement this.
Android 14 (2023): Added an option to disable null ciphers (A5/0), which SMS blasters require to inject message payloads.
Android 16 (2025): Made 2G disabled by default when Advanced Protection Mode is enabled, and introduced notifications alerting users when their phone may be connected to a suspicious 2G tower.
iPhone: The only way to disable 2G on iOS is through Lockdown Mode — a setting Apple designed for users at extreme risk of targeted attacks. Lockdown Mode severely restricts device functionality and is not practical for everyday use. There is no standalone 2G toggle on iOS.
This asymmetry matters. Android users on recent versions can mitigate the primary SMS blaster attack vector with a single settings change. iPhone users cannot, short of accepting significant trade-offs to their device's functionality.
The 2G problem is one of the clearest examples of legacy technology creating ongoing security debt. Carriers have been phasing out 2G for years — many markets have already shut down their 2G networks entirely. But phones still support 2G by default, which means even in areas where no legitimate 2G network exists, a device will connect to a fake one.
The Economics of SMS Blasting
Part of what makes SMS blasters so dangerous is how accessible they have become. The devices are sold openly online, often from Chinese-language marketplaces, for several thousand dollars. Commsrisk has documented websites advertising fake base stations capable of sending 150,000 SMS messages per hour.
The operational model is also remarkably low-skill. Investigations across multiple countries reveal a consistent pattern: the people driving the cars are not sophisticated hackers. They are hired operators — often recruited for as little as $100 per day — who simply drive a pre-configured device through designated areas. The technical infrastructure and target lists are managed remotely by organized crime groups, typically based overseas.
From a defense economics perspective, this is a classic asymmetric problem. The attacker's cost is a few thousand dollars for hardware and a hundred dollars a day for an operator. The defender's cost — redesigning cellular authentication, upgrading hundreds of millions of devices, coordinating across carriers and regulators across dozens of jurisdictions — is orders of magnitude higher.
How to Protect Yourself Today
The single most effective defense is a settings change that takes less than thirty seconds.
Disable 2G on Your Phone
Every SMS blaster attack depends on forcing your phone to connect to 2G. If your phone refuses, the attack chain breaks at step three — the blaster cannot complete the downgrade, and the phishing message is never delivered.
On Android (12 and later): Go to Settings → Network & Internet → SIMs, and toggle off "Allow 2G." On Samsung devices, look under Settings → Connections → Mobile Networks → "Allow 2G service." On Android 16, you can also enable Advanced Protection Mode (Settings → Security & Privacy → Advanced Protection), which disables 2G by default along with additional security hardening.
On iPhone: Apple does not offer a standalone 2G toggle. The only option is Lockdown Mode (Settings → Privacy & Security → Lockdown Mode), which disables most message attachments, blocks incoming FaceTime calls from unknown contacts, and limits web browsing features. It is designed for high-risk individuals, not for everyday use. Until Apple provides a standalone option, iPhone users remain more exposed to this specific attack.
There is no meaningful downside to disabling 2G for most users. In markets where carriers still operate 2G infrastructure, voice calls may occasionally fall back to 2G in weak-signal areas — but even with the setting disabled, emergency calls (112, 911) will still connect over 2G if no other network is available. Google has confirmed this explicitly.
Note: Third-party apps that claim to detect fake cell towers exist but vary significantly in reliability. Android 16's built-in fake-tower notifications are currently the most dependable device-level detection available.
https://www.youtube.com/watch?v=4Ebp2U52q1w&embedable=true
Watch for Sudden Network Downgrades
If your phone unexpectedly drops from 5G or 4G to 2G — particularly in an urban area where 2G coverage should not be the strongest signal — that is a potential red flag. Android 16 now includes notifications when your device may be connected to a suspicious cell tower. On earlier Android versions and iOS, you can manually check your network type in the status bar or quick settings.
Treat All Unsolicited SMS Links as Suspicious
SMS blasters can spoof any sender ID — your bank, your government, your delivery service. If you receive a text with a link asking you to verify your account, claim a refund, or update your payment details, do not tap it. Navigate to the organization's official app or website directly. This is good advice regardless of how the message arrived, but it is especially important in the blaster scenario because the spoofed sender ID will look completely authentic — no suspicious short code, no unfamiliar number, nothing to distinguish it visually from a legitimate message.
Keep Your Phone Updated
Android security patches regularly include improvements to cellular-level protections. Android 14 added null cipher disabling. Android 16 introduced fake-tower detection. These protections only work on current software.
What Needs to Change
The SMS blaster problem sits at the intersection of legacy protocol vulnerabilities, device-level defaults, carrier infrastructure limitations, and international law enforcement coordination gaps. No single intervention solves it.
Accelerate 2G sunset. The most fundamental mitigation is eliminating the vulnerability SMS blasters exploit. Every country should establish a firm timeline for 2G shutdown, and carriers should work with regulators to ensure emergency services migrate to modern protocols. As long as 2G exists — even as a fallback — phones remain vulnerable.
Default to 2G disabled on all devices. Google's approach with Android 12 and later is correct, but it should be the default, not an opt-in toggle. Apple needs to provide a standalone option for iOS users that does not require Lockdown Mode. Device manufacturers should ship phones with 2G disabled unless the user is in a market where 2G is still the primary connectivity option.
Deploy carrier-level signal intelligence. Carriers can detect SMS blasters through radio frequency anomalies — unusual signal patterns, unexpected 2G tower appearances in areas with no legitimate 2G infrastructure, and device behavior telemetry showing mass downgrades. UK operators have begun sharing rogue-tower telemetry in real time. This approach needs to scale globally.
Target the supply chain. The Philippines has pioneered a model worth replicating: rather than only pursuing the operators driving the cars, Philippine authorities have arrested major importers of SMS blaster hardware. Alexander Ramos, Executive Director of the Philippines' CICC, explained the rationale — disrupting supply is more scalable than chasing individual operators. Most other jurisdictions are still focused on catching drivers.
Clarify the legal landscape. SMS blasters occupy an ambiguous legal status in many countries. In some jurisdictions, owning the device is legal; operating it is not. In others, the law is silent. Clear legislation — covering manufacture, import, sale, and operation — would give law enforcement more consistent tools and create a stronger deterrent at the supply end.
Secure industrial IoT. The Sekoia research on cellular router exploitation highlights a broader problem: industrial IoT devices with SMS capabilities should never expose those APIs to the public internet without authentication. This is a firmware and deployment hygiene issue that manufacturers and operators need to address before the technique scales further.
Conclusion
SMS blasters represent a rare kind of threat: simultaneously low-tech and nearly impossible to stop with existing infrastructure. A device that fits in a suitcase can bypass billions of dollars in carrier anti-fraud investment by operating at a protocol layer those investments were never designed to reach.
The 2G vulnerability at the heart of this attack has been known for decades. What has changed is the economic incentive. As carriers have gotten better at filtering network-level spam, they have inadvertently made SMS blasters more attractive — the waterbed effect in action. As phishing-as-a-service platforms have lowered the barrier to creating convincing scam content, the demand for reliable delivery mechanisms has grown. SMS blasters fill that demand cheaply, scalably, and largely without detection.
The fix requires action at every layer: protocol sunset (2G), device defaults (disable 2G), carrier detection (signal intelligence), supply chain disruption (hardware importation controls), legal clarity, and IoT security (cellular router APIs). Any single layer addressed in isolation leaves the others exposed.
The police officer in London who received a phishing text from the device he was about to seize — that is the state of SMS security in 2026. The threat is close enough to touch. The defenses are still catching up.