Two British Men Built a Homemade Mobile Antenna to Send Scam SMS Messages

Two suspects have been arrested in the UK for using a “homemade mobile antenna” to send thousands of phishing SMS messages. According to law enforcement, the suspects posed as banks and other official organizations in their messages.

The London police reported that 32-year-old Huayong Xu and a second, unnamed suspect used a homemade device to send mass text messages. They allegedly managed to bypass mobile operators’ protections against smishing (SMS phishing) and attempted to trick recipients into revealing personal information. Authorities emphasized that this is the first known case of its kind in the UK.

“Criminals committing these types of offenses are becoming smarter and using increasingly sophisticated methods to deceive unsuspecting people and steal whatever they can get their hands on. Remember, a bank or any other official organization will never ask you to share personal information via SMS or phone,” law enforcement officials warned.

How the Scam Worked

Such attacks are possible due to long-known vulnerabilities in mobile communication standards. For example, mobile devices are required to authenticate themselves to networks using IMSI, but networks are not required to authenticate themselves in return. As a result, devices that connect to a fake base station can almost immediately receive phishing messages.

Although police described the device as “homemade,” it is not particularly difficult to build an IMSI-catcher using commercially available radio equipment. Base station emulators, commonly used for intercepting connections, are known as Stingrays or IMSI-catchers. Essentially, these devices mimic a cell tower, forcing nearby devices to connect to them. IMSI-catchers are sometimes used by law enforcement agencies themselves for triangulating target devices or even intercepting their communications.

Similar Incidents Worldwide

While UK authorities say this is the first such case in the country, similar incidents have occurred elsewhere. For example, last year, Vietnam’s Ministry of Information and Communications issued a warning about fake base stations and arrested two men who intercepted IMSIs from nearby devices to send phishing messages.

Another similar case happened in December 2022, when French police discovered an IMSI-catcher that a woman was carrying around Paris. This device was used to send messages urging Parisians to share their personal data on a fake health insurance website. It was later revealed that the same group was linked to another IMSI-catcher, which was transported around the city in an old ambulance.

Finally, in 2023, Norwegian police arrested a Malaysian citizen suspected of espionage after discovering an IMSI-catcher operating near several sensitive locations, including the Prime Minister’s office and the Ministry of Defense. In January of this year, the man was sentenced to three years in prison.