SMS is still widely used today. Despite the fact that their content is not encrypted, they are usually the most common route for two-step verification for all types of services, including the Google account or banking services. Although it is better to use authentication apps like Google Authenticator , SMS serves as the last spring. But some operators don’t care, and they are putting advertising on them.
It is not uncommon to receive advertising SMS directly on the mobile from all kinds of companies that take advantage of our data to send it. However, what we had not seen so far was that an operator modified a legitimate SMS to insert advertising on it.
Real SMS ads posted by operators
This has happened to Chris Lacy , developer of applications such as Action Launcher for Android. This developer went to log into one of his multiple Google accounts, for which he received an SMS in the Messages application of his Android mobile. However, when he saw that the SMS did not arrive, he went to the spam section, and there he found the message.
Update: some Googlers have chimed in and it looks like the ad portion was appended by my carrier to Google’s 2FA message. https://t.co/4CGUOw3x2v
– Chris Lacy (@chrismlacy) June 29, 2021
The message, seen as it appears in the photo, looks like a message sent by a hacker, as the verification code is displayed, but right after it is shown an advertisement for Avira Phantom VPN Pro , their VPN service with 30% off. The inclusion of this ad with the corresponding link makes the app send that SMS directly to the spam folder .
Google workers confirm that it is the operator
Some users began to speculate that it was Google itself that was doing this, but several Google workers have told them that nothing is further from the truth: it is the user’s operator, whose name has not transpired, who is modifying the SMS. The operator can read all the content of the SMS, since these are not encrypted, and with this it can also modify its content as we see in this case.
Google has been pushing operators for several years to make the move to RCS , their improved SMS system with which they wanted to fight against messaging apps. RCS didn’t have encryption by default either, but user pressure led Google to finally introduce it last November.
Unfortunately, this system is only used among users who have mobile phones and operators compatible with RCS activated, and the majority of company communications with users are still done via SMS. And this operator not only damages the credibility of the two-step verification, but also prevents it from reaching the user and forces them to check the spam folder.