Path: csiph.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: "Carlos E. R." Newsgroups: comp.mobile.android Subject: Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner Date: Sun, 14 Jun 2026 15:05:37 +0200 Lines: 38 Message-ID: References: <08onfmxrah.ln2@Telcontar.valinor> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Trace: individual.net VWDddUi5KNIkIMnRQnEboQ0k74iF/hxnHv403SmmCk8Ricvx1A Cancel-Lock: sha1:iXtFxclsRoUq5O06xwYWLvCkZwU= sha256:NcW4wLM9nYGeQXLTTfPEiEIV18gvhF8nA/Bp4UWmU8s= User-Agent: Mozilla Thunderbird Content-Language: en-GB In-Reply-To: Xref: csiph.com comp.mobile.android:154154 On 2026-06-13 00:11, Theo wrote: > Theo wrote: >> VanguardLH wrote: >>> "Carlos E.R." wrote: >>>> Translated with DeepL.com (free version) >>> >>> So the non-spoofed caller makes their call, and then has to respond to a >>> text message? Oh joy, 2FA comes to voice calls, too. >> >> I was assuming that it's making an automatic handshake with the calling >> phone via RCS, not asking the caller to do it. > > I was almost there, but got it wrong that the verifying RCS message is sent along > with the call - it's only initiated by the recipient if it didn't get the > initial RCS verification: > > https://blog.google/security/android-fake-call-detection/ Can we ensure that the bad caller can not also send a fake RCS message? > > They're selling it as preventing deepfakes where the attacker can both spoof > a number and spoof that person's voice, making it hard to tell from the real > person. In that case I can see why something to assert it wasn't the real > phone comes in useful. > > It's quite a narrow use case (just spoofed calls from people you know, > rather then spoofed calls from your bank/etc, and not Facetime/Whatsapp/... > voice calls) but I suppose phone calls are where the scammers are striking, > so it makes sense to start there. > > Theo -- Cheers, Carlos E.R. ES🇪🇸, EU🇪🇺;