Android Gets Fake Call Detection That Uses RCS

An anonymous reader quotes a report from 9to5Google: Phone by Google wants to combat the "growing threat of impersonation scams" and protect Android users against "sophisticated, AI-powered deepfake attacks" with fake call detection. [...] Fake call detection requires that both parties are on Android and use the Phone by Google app, while Google Messages and Google Contacts also have to be installed. When a contact calls, their phone "sends a silent confirmation signal in real time to your device to verify the call is legitimate and truly coming from the contact's device."

This digital handshake uses end-to-end encrypted RCS (Rich Communication Services). If you're being scammed by an impersonator, your phone will notice that the "initial confirmation signal will be missing," and ping the contact's real device to double-check. If their real device says, "I'm not making a call right now," you'll get a warning on your screen advising you to hang up immediately. This feature will be available globally on Android 12+ phones starting with Pixel devices this month. Fake call detection is enabled by default but can be turned off at any time. Google says it's "possible for other apps and device manufacturers to adopt this technology" given the RCS underpinnings. You can learn more about fake call detection in Google's blog post.

Re:

[DCstewieG]

The whole point here is that the scam caller spoofs the number and it does appear to come from one of your contacts.

Re:

[Bert64]

Which is why he said "TEXT FIRST"...
I'm largely the same, i never answer unexpected calls not just because of scams but because it's extremely inconvenient as a call forces me to stop whatever i'm doing immediately.
A legitimate caller will text or email first to arrange a mutually convenient time for a call.

Re:

[taustin]

If they can fake the caller ID, they can likely fake the text, as well.

Re:

[Bert64]

If you assume just SMS then sure.
But very few people use SMS any more. Most users are using RCS, iMessage or other messaging services which are significantly harder to fake.

Re:

[UnknowingFool]

If it's like every spam caller I have had, they claim to be one of my cousins. . . which don't exist. Or a "friend" with the same first name that refuses to give out their last name or how we know each other. For example, I got two different calls from my friend "Susan" for two different things. When I texted Susan, she was like, "WTF is going on?"

Re:Easier fix...

[arglebargle_xiv]

Well in my case they have to send me a fax to make an appointment to call me on my cellphone. This has been effective in stopping 100% of scam calls.

Re:

[SumDog]

Yea but it also forces everything through Google RCS, which is just as bullshit as Apple Talk. MMS was supported by each individual mobile ISP. I currently have ZERO google services or the Play Store on my phone. I wish more people would wipe their devices, install 3rd party roms, use F-Droid and be Google free. But everyone is addicted to their "Apps" and so people like me remain at under 1%. So everyone already has mandatory Google Services, and therefore, mandatory Google RCS. Fuck that bullshit.

Re: Easier fix...

[Z00L00K]

Seems like you still have a bakelite phone with a rotary dial.

Re:

[PCM2]

What? I have one. It's hooked up (through an adapter) to the VoIP port on my fiber router. It rings and everything.

Re:

[bill_mcgonigle]

Most carriers are running their own RCS relays now.

Those that don't fall back to Google but Google has said they're not going to allow freeloading for much longer.

But, AIUI, there's a conspiracy to only allow "approved" clients to uae any of them. Certs I'd guess but haven't looked deeply enough. GrapheneOS lacks an RCS client currently. Phones with full user ownership are also blocked.

Most people I know don't care and use Signal.

Re:

[DeanonymizedCoward]

But, AIUI, there's a conspiracy to only allow "approved" clients to uae any of them. Certs I'd guess but haven't looked deeply enough. GrapheneOS lacks an RCS client currently. Phones with full user ownership are also blocked.

One of the many reasons RCS sucks. There really aren't any viable clients besides Google Messages (Samsung I guess used to do it, but doesn't anymore), and the barriers to building one are high enough that it's basically Google and Apple now.

FWIW, GrapheneOS does include the necessary plumbing (behind some off-by-default privacy toggles) so that if you have their Sandboxed Play Services installed, and Google Messages, RCS can work. Seems to work more reliably than it does on some stock devices I've seen.

Re:

[usedtobestine]

Most carriers are running their own RCS relays now.

Those that don't fall back to Google but Google has said they're not going to allow freeloading for much longer.

But, AIUI, there's a conspiracy to only allow "approved" clients to uae any of them. Certs I'd guess but haven't looked deeply enough. GrapheneOS lacks an RCS client currently. Phones with full user ownership are also blocked.

Most people I know don't care and use Signal.

What is "full user ownership"?

Re: Easier fix...

[vbdasc]

I have Google Services, but RCS is not available in my country. Should I consider myself lucky?

Re:

[Mononymous]

I virtually never get spam calls (maybe 2 in the last decade), but it sure is annoying when I'm trying to call someone with the same policy you have.
If I need to call them from work, I don't have any way to send them a text.
If I'm trying to call someone personally, it's obviously because I need an answer now, not when they get around to looking at their texts.

Re:

[Cpt_Kirks]

Stopped answering ALL calls from any number not already a contact, entirely. Stopped transacting any and all business over the phone. And ONLY take calls from those who know to TEXT FIRST, and are on the list of 4-5 people I will take calls from. Otherwise... "Calling" Me, is literally impossible. Has been for 20 years. ;-D

I've been getting more scam texts than emails lately.

Re:

[Bert64]

Depends on the sophistication and determination of the attacker...
You can quite easily see relationships between people based on social media, you can correlate this with known numbers. Similarly a lot of people disclose their phone numbers via email signatures so if you have multiple people from the same company with disclosed numbers you stand a reasonable chance that they will be in each other's contacts.

Simple solution

[hwstar]

For financial emergency situations such as this, there will be a sense of urgency projected by the caller. Tell the calling party that you have to call them back to continue the discussion. There reaction should be frantic. That will give them away.

Unless they can intercept and reroute your outgoing calls via virus of some sort, or by penetration of your telecom carrier, this should be safe.

Never initiate any financial transaction until you have verified for yourself the request is genuine. Take time to th

Re:

[sarren1901]

I've done this. My bank called me once, said they were the security department, etc. I just said, that's nice. I'll call you back on the number provided by my bank that was sent via snail mail.

In this actual scenario, it was a legit thing but I never trust anyone that just calls me out of the blue, regardless of what they say.

The security person just said, "Okay that's fine." and that was that.

You are protected

[TwistedGreen]

This is great! The more Google knows about me, the more they can protect me. I will feel so much safer once this rolls out.

Re:

[93 Escort Wagon]

Google will protect you at the bottom of the stairs.

Re:

[swillden]

This is great! The more Google knows about me, the more they can protect me. I will feel so much safer once this rolls out.

Sarcasm noted. So... you think this fake call check is a bad thing? Or do you have a different design to suggest that would work better?

Re:

[TwistedGreen]

It's actually a pretty clever solution, and probably the only way this is possible given that phone companies have zero interest in fixing it. It's trivial to spoof numbers; Caller ID is extremely broken system. But this is yet another of the unfortunate trend toward all communication flowing through either Google or Apple. Even if you believe that "end-to-end" encryption really is party-to-party and not just between you and Google, it relies on Google knowing the identity of both parties. I would prefer a

Re:

[usedtobestine]

Its only trivial because the telco's permit it to be. Their problem is that if they start blocking number spoofing, they will be blocking revenue...

Re:

[swillden]

it's just so much easier to centralize it

Fully-decentralized trust systems just don't work. PGP failed primarily for this reason, while SSL Certificate Authority system succeeded -- which shows that you don't need perfect centralization, a federation can do it, but the federation has to contain a sufficiently small set of authorities that it's practical for those who need to trust them to do so. The SSL analogy is useful in another way, too. Note that end-users don't know or care about CAs, they only have to trust their browser; the browser aut

Re:

[TheMiddleRoad]

Honey, Google already knows everything about you. Trying to avoid this? Best of luck!

Re:

[thegarbz]

This is great! The more Google knows about me, the more they can protect me. I will feel so much safer once this rolls out.

This is a turn-your-brain off comment. They don't need to know anything about you for this. It's effectively how verification of certificates works, nothing more. You do this every day. You're doing this right now posting on Slashdot - your browser is verifying that this is the real Slashdot you are visiting based on your past visits.

Duress Words and other Defense Mechanisms.

[geekmux]

In the rapidly growing era of AI-driven attacks against humans abusing the more traditional forms of urgent communication (voice, video, etc.), it becomes quite important for us meatsacks to remember the value of duress words. Which you should coordinate with you fellow loved ones in person. Using hand-written paper and/or a whisper-level voice to document and share.

Ensure everyone is well aware of growing scams by agreeing to call or contact each other at minimum specific intervals. Consider a collective agreement in which no financial decision above a certain threshold is decided without others being involved or made aware. Ensure all involved can be fully trusted to understand why these protections are becoming necessary.

Re:

[SomePoorSchmuck]

Whispering no longer works. Voice isolation tech has gotten extremely good at fully discerning speech even when barely voiced at all.
Try it. Set your phone down on the table. Open your phone's message app. Turn on voice dictation. Back up 1-3 feet. Speak as quietly as you can while still enunciating all vowels/consonants.

Mine correctly transcribes speech this way, even in a room with background hums from several different machines.

Personally, I would not say anything confidential within the same room as any

Re:

[PleaseThink]

It's been at least a decade, but I remember a research paper that claimed they could pick out individual voices in a stadium. The theory is to place mics around the stadium. Then you calculate how long it takes for sound to get from the seat you want to spy on to each mic. Then you align their audio recordings based on those timings which amplifies the sounds coming from that spot. Everything else mixes into noise and you can hear the person in that seat speaking.

I know most phones have multiple mics (i

Re:

[InterGuru]

If you don't have an agreed upon the duress words, ask them what the name of your family member's dog is or what elementary school they went to

Re:

[ichthus]

Call me when it works with all phone apps and all SMS apps and all contacts apps.

I will, but will you take the call?

Re:

[Himmy32]

You want Google to monitor contacts and set up a phone handshake for all phones?

Re:

[Anonymous Coward]

Probably the same as mine: 1-800-382-5633 (1800FUCKOFF)

Or the phone companies could stop it at the source

[Marful]

The phone companies know who is doing this. But they make millions allowing it. THAT is where you stop this problem.

Re:

[0123456]

Until recently when we switched to VoIP I ran a few telephone switches for work. I could send arbitrary caller ID through the phone network, but didn't because we want people to be able to call our customers back if they're called.

If I had sent a fake caller ID, could the destination phone company figure out that I was sending it? Yes, but it would be non-trivial once it had gone through a few PSTN switches run by different phone companies and they all had to track it back through their switches to find out

Re:

[Marful]

I've watched hearings at different State capitols where the phone companies were asked specifically if they knew who was making the robocalls. They all stated they knew who and where the calls originate from.

When asked if they would do anything about it, they all either refused to answer or came up with bullshit excuses.

They know. They just make too much money off the calls to care.

Re:

[taustin]

Of course the phone companies know who is making the calls. They use ANI, not Caller ID, because ANI is used for billing purposes, rather than a placebo for the victims/customers/product to be sold. The end consumer, of course, does not have ready access to ANI info (and it would take some significant upgrades to the system for it to provide reliable information to the end consumer anyway).

If could be done, but the phone companies will never do it without being forced to.

useless

[nicubunu]

Why do you expect spammers will use the apps that give them away as spammers?

Re:

[Ksevio]

This doesn't depend on spammers having an app, it just means if a spammer calls you from Bob's phone number, Android will check with Bob's phone to see if he's calling you.

And if RCS is turned off?

[jddj]

On the spammer's phone? On the impersonee's phone? On the target's phone?

I have RCS turned off on mine because
a. SMS works when nothing else does.
b. I don't fancy my every text going through Google.

Re:

[taustin]

On the spammer's phone?

That's the point. If it comes from someone you know, who keeps it on, and it's off, you know it's not them.

It's not about identifying who they are, it's about identifying who they are not.

(I agree, though, that it's largely useless except to give Google more data to sell.)

who is allowed to check?

[erh]

Your device will instantly notice this and ping your contact's actual device to double-check

• So that means anyone can, presumably silently, check if I'm on a phone call?
• Or perhaps anyone can check if I'm on a phone call with a specific number?
• Or perhaps anyone can check if I'm on a phone call and retrieve the number?

Other than the "silently" part, I suppose the first isn't a lot different than the old style busy signal, but I wonder what Google has in place to avoid abuse of that feature.

How about texting the number?

[Registered Coward v2]

just tell them you just sent a text and what is the response code? I text you duck, you respond with airplane or else I know it isn’t you so even if they get the code they don’t know the appropriate response. Or “Pearl Harbor” must elicit Germans.

HOLY SHIT!

[TheMiddleRoad]

Google actually made a useful feature.

Does it do this?

[NotEmmanuelGoldstein]

... confirmation signal ... to your device

What stops the scammer's phone sending this signal?

It's presumably something on the caller's phone that the receiver (you) can check: Such as a SHA-256 hash of the caller's IMEI. In case, your phone doesn't have the information on-file (or a genuine caller changed devices), your phone sends a back-up ping to the caller's supposed phone number.

Whatever happened to STIR?

[WaffleMonster]

"Fake call detection requires that both parties are on Android and use the Phone by Google app, while Google Messages and Google Contacts also have to be installed"

No chance in hell. Why not run spam blocker and enable STIR filtering? I don't understand what Google brings to the table that is not already accomplished by caller authentication.

We need a call inbox

[devslash0]

Split into categories:
- People I know
- People I don't know
- Businesses
- Suspected Spam/Scam
- Other

Only people I know and whitelisted businesses make the phone show a call notification/ring/vibrate.