Introduction
Smishing is a portmanteau or combination of the acronym "SMS" (which is short for "short message service", otherwise known as text messages) and "phishing", which is another form of fraud that involves using deceptive messages via email, in order to obtain confidential information from a person, usually financial information. In effect, you could say that smishing is just phishing but via text messages. One of the reasons why smishing is so much more harmful than phishing via emails is that text messages feel more personal than emails, and so people are more likely to "let their guard down" and click on links or reveal certain information via text that they otherwise wouldn't with an email. Related to this is that there are more defences that come with a standard email address as opposed to a text; practically all major email providers provide a spam/junk mail service, which is one way of avoiding phishing attacks; there are very few, by contrast, that come with text messages. This problem will potentially become worse with the advancement of large language models (LLMs) and artificial intelligence (AI) which can convince people, particularly the elderly, that a text message they have received is from a loved one when it is not.
That's where Smishing Detector comes in. Smishing Detector is an app that helps in the fight against smishing. It does this both in alerting the recipient of an SMS message that a URL contained within it is potentially suspicious, as well as redacting confidential financial information that is inbound in SMS. The repository on Github also includes some snippet code that can be considered "best practice" (or more accurately, "better practice) by leveraging the APIs offered by Pangea.
The Problem
Smishing is a problem. One estimate by the Federal Bureau of Investigation (FBI) in the United States in 2020 suggests that as much as $50 million is lost in smishing scams, to the detriment of many Americans, not least at a time of a cost of living crisis. Other countries such as the United Kingdom have also reported an increase in the new kind of fraud.
Smishing is arguably more pernicious than regular phishing done via email. This is because people seem to trust SMS messages more so than emails: one research organisation found that the click-through-rate (CTR) for SMS was significantly higher than that received through email. Furthermore, there is an entire suite of protection mechanisms that come with emails that just don't have an equivalent with text messages. Phil Richards of the security firm Ivanti put it best (unaffiliated with me),
It’s far easier to block email phishing on corporate-owned PCs, but today’s remote workers are now using their personal devices to access corporate apps and data [...] And frankly, there’s just no easy way to verify the authenticity of URLs on smartphones, so users often just click and hope for the best.
Technical Explanation
This app was built for Android using the language Java, the main traditional/native programming language for Android apps (although there is a push by Google to encourage developers to use Kotlin). Android apps can send and receive SMS messages. By default, SMS messages are unfiltered. This means that it is up to the user, currently, to determine how to interact with the SMS message. Herein lies the problem associated with smishing.
In the context of Android, when an SMS message is received, something known as a "Broadcast Intent" is fired. Broadcast Intents are basically system-wide notifications of an event that has happened. Broadcast Intents do not just apply to SMS messages being sent or received; they can also apply to other events within the phone, such as the battery being low, the internet being disconnected, to name just a couple of possible events. An SMS message being sent or received fires a notification to all apps that an event has happened, namely, that an SMS message has been received. We can use this fact, together with Pangea's APIs, to help in the fight against smishing.
However, building an Android app comes with a number of technical difficulties when used together with Pangea's APIs. The first is that Pangea only (and unfortunately) provides its API responses in JSON as opposed to XML. This is problematic because it is not possible to natively parse JSON with Java, at least to my knowledge. This means we need to rely on a third-party library in order to parse the JSON responses. We do this using the third-party library GSON, including it as a dependency in our Android app (build.gradle):
implementation 'com.google.code.gson:gson:2.10.1'
Another difficulty with the Pangea's APIs within the context of Android is that we need to connect to the internet to access Pangea's APIs which we do with the following code in the AndroidManifest.xml file,
<uses-permission android:name="android.permission.INTERNET" />
However, this is problematic because it raises the issue of threads as connecting to the internet tends to hang up the foreground operations in an Android app and should therefore be moved to a background thread. We get around this with the use of the Thread class in Java.
The following sections go into greater discussion of how the various capabilities of this app work.
Notification of suspicious link
Omit inbound SMS messages with confidential financial information
Pangea APIs used in this Android app
The following APIs offered by Pangea were offered in this app:
- URL Intel
- Redact (U.S. bank number, IBAN code, Crypto wallet address, Credit card number)
Applications and Use Cases
There are a number of use cases and applications associated with Smishing Detector. One potential use case is a situation where a person has an elderly family member and wants to protect the person from a situation involving smishing. Another use case is a situation where an organisation wants to protect its customers/clients from inadvertently providing financial information that they otherwise wouldn't.
Log in or sign up for Devpost to join the conversation.