rayhunter Support for detecting silent SMS messages

More info about silent SMS messages here: https://github.com/MatejKovacic/silent-sms-ping

It would be nice if device would be able to detech Type-0 messages as well.

Mar 07 '25 13:03 MatejKovacic

i think this is a fine idea, although i'm curious about this point from your linked repo:

It is important to understand, that receiving silent SMS does not necessary mean you are being targeted by some malicious actor. Silent SMS messages could be used for various technical reasons and receiving a silent SMS is not a good indicator of being targeted by your cell carrier, government or hackers.

one of Rayhunter's main design goals is to issue no false-positives, so we're really aiming to only add heuristics for very suspicious events. do you have a sense of how possible it'd be to write a silent SMS detector that can easily distinguish benign messages from suspicious ones?

Mar 07 '25 19:03 wgreenberg

Actually yes, I have some ideas.

First of all, Type 0 SMSes are absolutely used for tracking, so receiving that SMS should trigger high alert. The problem is, that in Android Type-0 SMS messages are hidden on purpose (in my repo you can read about how Google changed Android code for that). On the other hand, it seems that receiving a Type-0 message triggers a record in Android logs.

Class 0 (Flash SMS) are usually not problematic, because they are intended to be displayed, unless if certain flags are used. We can alert user if those flags are being used. Silent SMS detector application is detecting these.

Class 1 is a normal SMS message, it should not trigger any alert.

Class 2 carries SIM card data and is used for sending some technical data from the mobile operator to a SIM card. Usually they are received when roaming is activated or when mobile operator is pushing some settings.

However, any SMS message could be intentionally "broken", so it would act as silent SMS message. Therefore my suggestion would be to record (save) everything and alert only on most problematic one.

When we would have a enough data, we can do analysis which other messages could be also problematic. For instance, if there are protests and leaders of protests are receiving weird messages (which are not yet detected as problematic), we should reconsider methodology for classify a message as suspicious.

Also, if a mobile phone of some journalist gets infected with Pegasus, we could also check all SMS messages received on his second phone number in this device.

Mar 07 '25 20:03 MatejKovacic

I did some light digging but couldn't turn up much, so I will ask here in hopes that it pushes this idea forward a bit in the research space. Does anyone have any example pcaps in the wild or through research that show what these various SMS class type would look like on the receiving end? Is there a documented spec handy? Academic papers maybe?

I really like heuristic opportunities with something like this. Great idea, thank you for sharing!

Apr 04 '25 01:04 m0xsec

I think that in Wireshark you can use filter gsm_sms.tp_pid == 0 (for Type0 message). I guess, we should also be looking for gsm_sms.tp_dcs and (for LTE NAS) nas-eps.emm.message_type...

Apr 05 '25 06:04 MatejKovacic

I did some tests.

I used this Android app to sent silent SMS message (which is actually not true silent SMS, because it is Class 0 and not Type 0), and in PCAP file I can filter this: wsp.pdu_type == 0x06.

This is normal SMS (below you can see the text I sent):

And this is silent SMS (Class 0):

Apr 05 '25 20:04 MatejKovacic

this is super helpful, thank you!

Apr 06 '25 00:04 m0xsec

Another thought I have on this, wouldn't silent SMS messages be used for targeted attacks? IS there are use for them in identity discovery (as in the police want to know who is in an area not find a specific person)?

Apr 07 '25 23:04 cooperq

Silent SMS'es are used for targeted attacks. Basically to track a specific person (i. e. his SIM card).

Apr 07 '25 23:04 MatejKovacic

Very insightful, I love pulling from this branch so often!

Apr 07 '25 23:04 frostyfucker

From my understanding silent SMS are often used to confirm target position or to force generate traffic that can be used by the IMSI catchers, there are public reports that this is a favourite tool in german police, they send thousands of silent sms to the targets of their interest each year.

As mentioned, it is primarily used in this 2 scenarios:

confirming target/victim position, this is done to confirm target is present (reasonably via distance) at an expected location which is usually followed by raid or another type of surveillance (e.g. physical)
force generate the traffic can be a precursor to an IMSI catcher, theoretically similar to first case, it can be used to confirm the target device is in range of the IMSI catcher so it can take over the connection, attempt downgrade or perform a targeted attack such as exploitation of the modem/device
extension of the previous case is performing something similar to a timing attack by sending a large amount of silent sms with very specific intervals and monitoring the radio channels, even if encrypted over the air, the flow of data on the radio channel can be monitored and correlated with the timings when those sms were sent to find the target device. This allows obtaining temporary identification (TIMSI) and other material to proceed with full deanonymization or more targeted attack.

FYI: I would propose also of monitoring of sms messages that has ID set with a combination of replace flag as described here https://ozeki-sms-gateway.com/p_44-how-to-configure-the-smpp-replace-if-present-field__NO.html

This specific case can indicate active exploitation over the cellular network and is also known to be used by some cell interceptors as forensic countermeasure to wipe evidence if malicious payload is delivered over sms PDU.

Aug 22 '25 09:08 RootLUG