- Researchers find that the RCS verified sender system is vulnerable to spoofing, exposing users to phishing risks.
- Protocol misuses affect major telecom operators and global Android users, raising urgent concerns about mobile security.
What happened: RCS sender verification can be spoofed
Cybersecurity researchers from Evina and Mindflow have discovered a major flaw in the Rich Communication Services (RCS) protocol. The issue lies in how telecom providers verify “trusted” RCS senders. Instead of using strict, mutual authentication, many operators rely on local checks that criminals can bypass.
Attackers register a number with a foreign RCS server and send messages that mimic trusted brands. These messages can include official logos and names, making them look genuine. Victims receive them via Google’s Messages app, which supports RCS by default. According to TelecomTalk, the flaw affects users worldwide, including those served by networks using Google’s Jibe platform.
Also read: RCS adopts MLS for enhanced security
Also read: Sinch expands RCS partnership with Verizon
Why it’s important
The security lapse highlights a systemic failure in how RCS verifies senders. Smishing, or SMS phishing, is a growing threat. The shift from SMS to RCS was meant to strengthen mobile messaging security, but this discovery shows the system may be equally, if not more, vulnerable if poorly implemented.
Unlike SMS, where users can see phone numbers, RCS verified messages often show brand names and logos, creating a false sense of security. With no clear protocol enforcement or cross-operator verification, attackers can exploit inconsistencies to craft realistic-looking scams. As noted by Evina CEO David Lotfi, “This isn’t a flaw in one app—it’s a protocol design issue.”
The stakes are significant. RCS is now embedded in the default messaging app on billions of Android phones. If left unaddressed, this vulnerability could be used in large-scale phishing campaigns similar to past attacks exploiting SS7 signalling flaws.
Mitigating the risk would require strict authentication enforcement, cross-operator standards, and greater transparency by telecom firms. Google, telecoms, and device manufacturers must coordinate to patch the protocol and restore trust in RCS as a secure alternative to SMS.
