Canadian authorities have arrested three men for operating an “SMS blaster” device that pretends to be a cellular tower to send phishing texts to nearby phones.
Such tools trick devices into connecting to them by emitting signals that mimic a legitimate tower. Mobile phones in its range automatically link to them as there is stronger reception.
Once the connection is established, the operators of these rogue cellular base stations can push SMS messages directly to connected devices, which appear to come from trusted entities such as banks or the government.
“An SMS blaster works by mimicking a legitimate cellular tower. When nearby phones connect to it, users receive fraudulent text messages that appear to come from trusted organizations,” explains the police.
“These messages often prompt recipients to click on links that lead to fake websites designed to capture personal information, including banking credentials and passwords.”
No phone numbers are required for these messages to be sent; only that the targets be within range. In densely populated areas, this practically means mass distribution, and hence the name “blaster.”
The Canadian authorities noted that this is the first time that such a device has been spotted in the country.
The Toronto Police said the investigation, dubbed ‘Project Lighthouse,’ began in November 2025 after receiving tips about suspicious activity in downtown Toronto.
Police found that the equipment was operated from vehicles, allowing it to move across the Greater Toronto Area and target large numbers of people.
The investigators believe that during the SMS blaster’s operation, 13 million cases of mobile network entrapment occurred.
Besides the phishing aspect, devices connected to those rogue stations are temporarily disconnected from their provider’s legitimate network and cannot reach emergency services if needed.
The police conducted searches in Markham and Hamilton on March 31, and seized multiple SMS blasters and other electronic devices.
Two suspects were arrested, while a third man turned himself in on April 21.
To defend against rogue towers, users are recommended to disable 2G downgrades on Android, although this measure is not effective against more advanced setups targeting LTE/5G signaling.
SMS should be treated as an insecure channel, and users should avoid following links received over this channel.
For sensitive data or communication exchanges, the recommendation is to use end-to-end encrypted channels.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.