Mobile spam has evolved alongside messaging technology, and Rich Communication Services (RCS) may have worsened things. While Android’s Google Messages app has supported RCS since Lollipop, Apple’s addition of RCS compatibility with iOS 18 broadened its reach, opening new opportunities for spammers. Android and iPhone users can now communicate through RCS messaging, but cross-platform security vulnerabilities pose a risk.




Apple’s RCS implementation did the bare minimum, omitting end-to-end encryption (E2EE) at launch. Samsung promptly warned users to be careful when sending RCS messages to iPhones because even Samsung’s best phones only offer encryption for Android-to-Android communication. It seems the spam floodgates have opened further. RCS’s inconsistent security measures and cheaper messaging costs play a role, but why is RCS attractive to spammers?

Related

Hands-on: One UI 7 is so good, it might make me switch to Samsung

Samsung’s next update is looking like a win

4


Scams in the SMS and MMS days

Before RCS messaging, Short Message Service (SMS) offered 160 characters and required a cellular provider. While longer messages could be sent by breaking them up into smaller messages that met the character requirements, this increased the cost because providers typically charged per message.



Multimedia Messaging Service (MMS) introduced the ability to include text and multimedia content, but it has limits. First-generation MMS started at 50kB messages, and later generations varied by provider but tended to cap out at 1MB to 2MB.

Scammers worked within these limitations using simplistic social engineering tactics, as they do today. Messages impersonating banks or service providers and urging people to call a phone number were common. Other messages exclaiming things like, “Congratulations! You’ve won $1,000! Reply with your details to claim your prize.” were also frequently used. The goal was to confirm active numbers, collect data, and exploit victims financially.

Gemini scam detection showing a warning that the call is likely a scam and giving options to dismiss and continue or end call.

Source: Google



We don’t see premium-rate fee scams as often anymore. Toll numbers were more common, usually starting with prefixes like 900 in the US and charging per minute. I remember them most often being associated with adult content, but they were also used for technical support, psychic or astrology readings, and charity donations. The magazine Nintendo Power had a premium-rate hotline in the 80s and 90s that players could call to get tips, strategies, and walkthroughs for Nintendo games.

Scammers used SMS to lure victims into calling premium-rate phone numbers with high per-minute rates. They often used scripted conversations to prolong the call and increase charges. Now that we can find almost anything we want on the internet, these types of scams are rarely talked about.


RCS helped email scamming tactics go mobile



The GSM Association (GSMA) developed the new RCS protocol and released it in 2008. RCS’s decentralized architecture leaves implementation up to carriers but primarily eliminates character limitations and typically allows for media files up to 100MB. While the messaging capabilities were a major upgrade, RCS’s lack of E2EE has been heavily criticized. While adopters like Google added E2EE for Google Messages, it’s up to each provider to implement their own E2EE solutions.

Email scams were cheaper, easier, and more effective than SMS scams in the past. Using rich media made it easier to impersonate banks and companies, making messages look professional. Victims could click malicious links that directed them to fake websites that stole login credentials or personal information. Clicking attachments could infect users’ computers with malware like keyloggers, ransomware, or Trojan viruses. The introduction of RCS facilitated these tactics by enabling richer media and larger message capacities.

Spam texts are the new spam call.


Robokiller’s 2021 Phone Scam Insights reported, “Spam texts are the new spam call.” There was a 58% increase in spam texts from the previous year and 87,850,585,036 spam texts in 2021. This surpassed the 72.2 billion spam calls placed in the same time frame. While RCS plays a big role in enabling this shift, other factors are also at play.


Contributions to the text spam surge

Generational messaging habits changed

Smart Compose icon in Google Messages on the Samsung Galaxy S24

A major shift in messaging habits occurred between Gen X and Millennials. Millennials use text messaging regularly, often preferring it over phone calls, and use email less frequently than Gen X, primarily because they prefer faster, more direct communication methods. Millennials are also more likely to use group text messaging and to use text to spread information. This change in preferences didn’t go unnoticed by scammers.


COVID-19 made scam call centers dangerous

The biggest contributor to increased messaging spam, though, was COVID-19. It caused a 50% drop in spam calls between April and June 2020. Social engineering hubs, scam mills, and phishing farms were typically large call centers dedicated to targeting victims over the phone. These close-quarter operations could have been a death sentence during the pandemic. Many operations quickly shifted to messaging, largely through RCS protocol.

You can get a lot of insight into how scam organizations work from YouTube channels like
Scammer Payback
.

An unclear pandemic response allowed scammers to capitalize on the confusion surrounding stimulus checks, relief programs, government agencies, and healthcare providers. The FTC reported more than 732,000 complaints related to COVID-19 and stimulus payments in 2022, costing consumers $778 million.



US policy changes put user data at risk

The Trump administration’s broad deregulation across various sectors led to the rollback of consumer protection policies and increased exposure to RCS-related scams. The repeal of the Broadband Consumer Privacy Protection Act allowed ISPs to access and distribute consumers’ online activity and sensitive data without consent. Data markets were flooded with new personal information used for targeted scams.

Scammers move their efforts from robocalls to messaging when there’s a burgeoning market of victims they can easily access personal information about and who are open to RCS’s security vulnerabilities.


What’s being done to address RCS spam?

The Google Messages icon on a phone's home screen

Google has committed to bringing cross-platform end-to-end encryption to RCS chats, and the Global System for Mobile Communications Association (GSMA) said it’s working towards implementing E2EE to secure messages between Android and iOS ecosystems.


The next major milestone is for the RCS Universal Profile to add important user protections such as interoperable end-to-end encryption. This will be the first deployment of standardized, interoperable messaging encryption between different computing platforms, addressing significant technical challenges such as key federation and cryptographically enforced group membership. Additionally, users will benefit from stronger protections from scams, fraud, and other security threats.

RCS spam can’t be eliminated. We can only rely on good security and spam filtering. Recent advancements in deciphering spam through AI have led to improvements, and there is potential for significant spam reduction in the near future. Fine-tuned large language models (LLM), along with natural language processing (NLP), are positioned to surpass current spam detection systems and will make their way to RCS messaging. There’s more to RCS chat than E2EE and spam filtering, so seeing how Google and the GSMA tackle this still-growing problem will be interesting.