Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
phishing-campaign-intelligencevoice-social-engineeringcredential-stealer-activitytelecommunications-sector-threat

Rise of SMS-Based Mobile Fraud Through Smishing and OTP Interception

Updated 2d agoFirst seen Mar 19, 20265 sources

Criminals are increasingly abusing SMS as a fraud channel, using both network-level and device-level techniques to bypass traditional defenses and steal credentials, banking data, and one-time passcodes. One reported method uses SMS blasters—portable false base stations or cell-site simulators—to inject phishing texts directly into nearby phones without traversing carrier networks, allowing messages spoofing government agencies or banks to evade carrier spam filtering. Another technique targets Android devices through the LSPosed framework and the Digital Lutera module, enabling attackers to capture SMS verification tokens, impersonate phone numbers, insert fraudulent SMS records, and support real-time payment app account takeover and transaction approval.

The fraud ecosystem also includes large-scale smishing campaigns built around fake parcel delivery notifications, with Group-IB reporting sustained growth across the Middle East and Africa and postal brands most frequently abused. Those campaigns use urgent shipment-tracking lures to drive victims to counterfeit courier sites that harvest personal data, card details, banking credentials, and OTPs. Together, the reporting shows that mobile fraud is expanding through both social engineering and deeper technical abuse of telecom and mobile operating system trust models, exposing weaknesses in SMS-based authentication and message trust assumptions.

Share:
Rise of SMS-Based Mobile Fraud Through Smishing and OTP Interception
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

5 events from the most recent confirmed update back to the earliest known activity.

5 EVENTS
Mar 18, 20264mo ago

Researchers report Android LSPosed attack enabling payment app takeovers

CloudSEK disclosed that attackers were abusing Android's LSPosed framework with a module called Digital Lutera to compromise mobile payment apps at the OS level. The module could intercept SMS verification tokens, collect 2FA codes, falsify SMS records, and support real-time fraudulent transaction approvals.

Dec 1, 20257mo ago

Egypt identified as top target in MEA shipment scam dataset

In data covering December 2025 through February 2026, Egypt was the most targeted country in the fake shipment-tracking campaign, while postal services were the most abused sector. The phishing pages were mobile-optimized and used WebSocket scripts to exfiltrate keystrokes in real time.

Jan 1, 20251y ago

Fake shipment-tracking scam activity accelerates

Group-IB reported that the MEA fake shipment-tracking campaign intensified through 2025, indicating broader and more coordinated criminal activity. The infrastructure showed shared IPs, overlapping hosting, and traits linked to the Darcula phishing-as-a-service ecosystem.

SMS blaster smishing incidents expand globally

During 2025 and early 2026, SMS blaster attacks spread across multiple countries including the UK, Japan, Brazil, Indonesia, Thailand, Switzerland, the Philippines, Greece, and India. The technique used rogue base stations to force phones onto 2G and inject phishing texts outside normal carrier filtering.

Jan 1, 20242y ago

Fake shipment-tracking smishing activity begins in MEA

Group-IB observed fake delivery SMS scams targeting users in the Middle East and Africa starting in early 2024. The messages lured victims to counterfeit courier sites designed to steal personal, banking, card, and one-time-password data.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

7 LINKEDOpen in app
Affected products
1 linked
Whatsapp
Organizations
6 linked
Cisco SystemsRecorded FutureMeta PlatformsCoalitionGoogleVenable LLP
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.