Path: csiph.com!weretis.net!feeder8.news.weretis.net!news.tcpreset.net!newsgate.tebibyte.org!.POSTED.251.red-79-150-114.dynamicip.rima-tde.net!Telcontar.valinor!not-for-mail From: "Carlos E.R." Newsgroups: comp.mobile.android Subject: Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner Date: Wed, 10 Jun 2026 23:19:11 +0200 Organization: Tebibyte_Retro_Gaming Message-ID: References: <08onfmxrah.ln2@Telcontar.valinor> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Info: mailgate.tebibyte.org; posting-host="251.red-79-150-114.dynamicip.rima-tde.net:79.150.114.251"; logging-data="15759"; mail-complaints-to="abuse@tebibyte.org" User-Agent: Mozilla Thunderbird Content-Language: es-ES, en-CA In-Reply-To: X-Leafnode-NNTP-Posting-Host: 127.0.0.1 Xref: csiph.com comp.mobile.android:154120 On 2026-06-10 21:29, VanguardLH wrote: > "Carlos E.R." wrote: > >> This is an article in Spanish, translated. I do not know if it applies >> worldwide. >> >> >> >> Android will detect calls with spoofed numbers by sending a real-time >> RCS message to the legitimate owner >> >> By Joshua Llorach >> Published 3 June 2026 10:50 >> >> Until last summer, it was very easy for malicious actors to spoof the >> number that appears on a mobile phone screen as the caller ID when a >> call rings. The lack of a system to validate numbers and their origin >> allowed spammers and other malicious actors to inject traffic into the >> network with a spoofed caller ID, a practice known as CLI spoofing. >> >> Since June 2025, mobile operators have been filtering calls originating >> from abroad that use Spanish numbers without permission, as well as >> applying other validation checks to make this practice more difficult. >> Added to these measures is the system from Orange and Telefónica that >> displays a warning on the screen for suspicious calls. >> >> Falsifying a number known to the victim makes the attack much more >> effective, especially in the age of AI, where it is very easy to imitate >> a person’s voice, so Google is joining this fight with its own measures >> against CLI spoofing. >> >> The Android Phone app has started to verify the caller ID of incoming >> calls by connecting in real time to the supposed originating mobile >> phone to check that it is indeed the one making the call. >> >> For this to work, both parties must be Android users with the Phone app. >> When the call rings on the recipient’s device, the phone sends an >> encrypted RCS message to the legitimate owner of the number to ask if >> they are actually making the call at that moment. In this way, the >> recipient’s phone can tell when the call is fake. >> >> The idea is interesting, as it does not use OTT data traffic, but rather >> core network services, making the exchange of information faster and >> more reliable. >> >> This feature is being rolled out first on Pixel devices running Android >> 12 and above, but Google has released it as an open standard so that >> other phone apps and operating systems can use it, meaning that in the >> future it would be possible to verify numbers between Android and iOS if >> the parties involved wish to do so. >> >> Translated with DeepL.com (free version) > > So the non-spoofed caller makes their call, and then has to respond to a > text message? Oh joy, 2FA comes to voice calls, too. Yes, I wonder. > > "When the call rings on the recipient’s device, the phone sends an > encrypted RCS message to the legitimate owner of the number to ask if > they are actually making the call at that moment." > > One, only works when caller and callee are both Android users, and both > use a phone app with the integrated verification check. The Google telephone app, which is the default. > Two, to > eliminate 2FA interference, the caller's phone app must automatically > respond to the RCS request by the callee's phone app, and the callee's > phone app must automatically handle the RCS response. > > Texting is not a guaranteed communication venue. What happens when a > call is received, but texting fails in either direction between caller > and callee? And how does this scheme eliminate the delay in getting the > specially encoded text? Texting is not always immediate. Who is going > to wait 2 minutes for the texting to complete in both directions when > there is an incoming call? After how many rings should the callee wait > before picking up the call? Will the callee's phone app silence all > ringing until its validation text gets received by the caller, and the > caller's phone app sends back the response text, to when the callee's > phone app finally gets that response text? > > I'm sure there are some glitches that will have to get ironed out. > Since texts are an insecure communication venue (no encryption), It is RCS, there is encryption. > there > wouldn't be some means to spoof the response text the spammer sends to > the callee? There are entire companies dedicated to providing spoofing > services, so I'm sure they'll figure out a workaround. -- Cheers, Carlos. ES🇪🇸, EU🇪🇺;