Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.mobile.android > #154170

Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner

From "Carlos E. R." <robin_listas@es.invalid>
Newsgroups comp.mobile.android
Subject Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner
Date 2026-06-15 21:21 +0200
Message-ID <n9b1m5F2h21U1@mid.individual.net> (permalink)
References (4 earlier) <n97n91FgcntU3@mid.individual.net> <1qwv27zsc5bmc$.dlg@v.nguard.lh> <n99nl4Fqtt9U1@mid.individual.net> <eh45rii6fg9a$.dlg@v.nguard.lh> <+7F*BAaJA@news.chiark.greenend.org.uk>

Show all headers | View raw

On 2026-06-15 17:29, Theo wrote:
> VanguardLH <V@nguard.lh> wrote:
>> initialized.  I would think the scheme would not have the callee
>> accepting an RCS ACK before it even sent its own RCS REQ.
>>
>> The article mentioned Google's open standard, but did not provide a URL
>> to it.  Looks like the scheme uses encrypted RCS messaging.  The
>> callee's Phone by Google app would have to initiate the encrypted RCS
>> messaging.  It's not going to listen for an RCS ACK message until the
>> callee initiates with an RCS REQ.
>>
>> https://blog.google/security/android-fake-call-detection/
>>
>> But still no link to the definition of their open protocol.
>>
>> https://www.techtimes.com/articles/318000/20260608/android-fake-call-detection-targets-ai-deepfakes-rcs-handshake-verifies-caller-devices.htm
>> "When a saved contact calls, their Phone by Google app sends a silent,
>> real-time cryptographic confirmation token over the RCS signaling layer
>> to the recipient's device. That token confirms the call is genuinely
>> originating from the contact's registered hardware — not routed through
>> VoIP software with a spoofed caller ID."
>>
>> Hmm, so the caller initiates with sending an encrypted RCS token to the
>> callee.  But all of this RCS attestation is only for saved contacts.
>> Your phone sees a number you saved as a contact for Mom, and uses the
>> RCS token to verify it's Mom.  However, if you don't have a contact for
>> Mom, the caller ID says "Mom", and RCS attestation isn't involved.
>> Doesn't seem a reliably or trustworthy scheme if the caller initiates
>> the RCS attestation.
> 
> It seems this is a byproduct of end to end encryption over RCS.  As part of
> starting an RCS conversation a set of key pairs are established.  Then you
> can use those to securely communicate with your correspondent.
> 
> In this case the 'I'm calling you' RCS message is presumably using the
> existing key pairs, meaning that secure communication is already established.
> In that way you can know that a call you receive from your correspondent
> without the accompanying RCS message is more likely to be spoofed, and the
> warning message displayed.

Ah. So this is the answer to my question, thanks.

> 
> For a contact who you haven't previously established RCS communication with,
> the system hasn't yet established a secure channel.  I'm not sure if you can
> send an unsolicited RCS message anyway; presumably businesses must be able
> to send out RCS messages without having the user enroll them as contacts
> first?  But presumably if you don't have a key pair established then you
> can't put up a message saying the call is suspicious?

In this case, and grandma below, side B messages side A.

> 
> The place I can see this falling down is where you have never contacted them
> via RCS, only phone calls or other means.  For example if you always chat
> with grandma via iMessage or WhatsApp then you may not have established an
> RCS session with her to set up keys.  Then the phone can't know whether she
> is on RCS or not (without some potentially slow discovery process) and can't
> pop up a message saying not to trust the call.
> 
>> Imposter makes a call pretending to be Mom, and includes the RCS
>> confirmation signal.  You get the spoofed call, and your phone app
>> checks with Mom's device using RCS.  Might work if Mom's phone was
>> powered up to respond.  Maybe it isn't.  If the imposter pretends to be
>> not just your pharmacy, but the distro warehouse for your pharmacy, you
>> won't have them as a contact (you won't even know their phone number).
>> Caller isn't a contact, so this RCS scheme is dead.  A caller that is
>> not a saved contact isn't challenged to prove they are who they say.  I
>> wasn't aware that spoofing primarily targeted saved contacts on the
>> callee's phone.  How are they going to get my contacts?
> 
> I don't think it's saved contacts that is relevant, it's people you have
> already contacted via RCS.  That is mostly people with real mobile
> phones, rather than landlines or businesses.
> 

Right.

>> This seems a stab at an iffy scenario for limited subset of users, and
>> likely to fade away if STIR/SHAKEN gets adopted by all mobile carriers,
>> and actually works.  However, its just for mobile calls.  Apparently
>> Google isn't keen on STIR/SHAKEN, and came up with a client-end scheme
>> that bypasses any spoof checking at the carrier.
> 
> STIR/SHAKEN is a US thing, it doesn't apply in other countries.  Google's
> solution does.
> 
> Theo

It is a start.

-- 
Cheers,
        Carlos E.R.
        ES🇪🇸, EU🇪🇺;

Back to comp.mobile.android | Previous | NextPrevious in thread | Find similar | Unroll thread

Thread

Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner "Carlos E.R." <robin_listas@es.invalid> - 2026-06-10 11:44 +0200
  Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner Jörg Lorenz <hugybear@gmx.net> - 2026-06-10 17:59 +0200
  Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner VanguardLH <V@nguard.LH> - 2026-06-10 14:29 -0500
    Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner "Carlos E.R." <robin_listas@es.invalid> - 2026-06-10 23:19 +0200
    Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner Theo <theom+news@chiark.greenend.org.uk> - 2026-06-11 22:32 +0100
      Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner VanguardLH <V@nguard.LH> - 2026-06-11 20:18 -0500
        Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner "Carlos E.R." <robin_listas@es.invalid> - 2026-06-12 12:16 +0200
          Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner VanguardLH <V@nguard.LH> - 2026-06-12 15:13 -0500
            Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner Andy Burns <usenet@andyburns.uk> - 2026-06-13 08:29 +0100
              Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner VanguardLH <V@nguard.LH> - 2026-06-13 15:52 -0500
                Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner Jörg Lorenz <hugybear@gmx.net> - 2026-06-14 07:35 +0200
      Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner Jörg Lorenz <hugybear@gmx.net> - 2026-06-12 07:19 +0200
      Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner "Carlos E.R." <robin_listas@es.invalid> - 2026-06-12 12:19 +0200
        Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner VanguardLH <V@nguard.LH> - 2026-06-12 15:59 -0500
      Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner Theo <theom+news@chiark.greenend.org.uk> - 2026-06-12 23:11 +0100
        Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner "Carlos E. R." <robin_listas@es.invalid> - 2026-06-14 15:05 +0200
          Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner VanguardLH <V@nguard.LH> - 2026-06-14 20:18 -0500
            Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner "Carlos E. R." <robin_listas@es.invalid> - 2026-06-15 09:24 +0200
              Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner VanguardLH <V@nguard.LH> - 2026-06-15 08:14 -0500
                Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner Theo <theom+news@chiark.greenend.org.uk> - 2026-06-15 16:29 +0100
                Re: Android will detect calls with spoofed numbers by sending a real-time RCS message to the legitimate owner "Carlos E. R." <robin_listas@es.invalid> - 2026-06-15 21:21 +0200

csiph-web