Last Updated on June 8, 2026 by Staff
A team of computer scientists from the University of California San Diego. Helped fix a big security problem. This problem let attackers pretend to be people in smartphone text conversations. The flaw affected both Android and Apple devices. It involved all major wireless carriers in the United States like Verizon, T-Mobile Google Fi and several smaller providers.
The vulnerability was especially concerning. It let cybercriminals send text messages that looked like they came from trusted contacts. In some cases attackers could even add messages to existing conversations. This made the deception more convincing.
After finding the issue researchers worked with carriers and smartphone makers. They developed solutions to protect users from abuse.
How It Worked
The problem started with a feature introduced by mobile carriers in the early 2000s. At that time companies wanted to encourage text messaging. So they created a service that lets people send text messages through email.
Email and text messaging systems were built using different standards and formats. To make communication possible carriers had to translate email messages into text messages.
This translation process created weaknesses. Important information about the sender could be obtained. Misinterpreted during conversion. Attackers learned how to use these inconsistencies to hide their identity. They made messages appear as if they were sent by someone
Researchers described the issue as a communication problem. It was between two systems that were never designed to work
Fooling Smartphones
The vulnerability became more dangerous when the converted message reached a smartphone. Both Android and Apple devices compare sender information against the user’s contact list.
Attackers found they could manipulate email addresses. They added characters that confused the messaging software. In some cases the system thought the modified email address was a phone number. It belonged to someone in the victim’s contacts.
As a result fake messages appeared to come from friends, family members, coworkers or other known contacts. The messages could be added to conversations. This made them seem authentic.
Although attackers could not view responses sent back by victims, fake messages could still be used for scams. They could be used for phishing attempts, misinformation campaigns or social engineering attacks. These attacks trick users into revealing information.
The researchers emphasized that the lack of standards for converting emails into text messages made these attacks possible. The text messaging systems and email systems were not designed to work. This created a security risk.
Industry Response
Once the vulnerability was confirmed the research team notified wireless carriers and smartphone companies. Together they developed solutions to close the security loophole.
Verizon, T-Mobile and Google updated their systems. They changed how email address fields are translated into text messages. These changes prevent attackers from exploiting the conversion process. They can’t impersonate users.
Google also fixed the issue within Google Messages. Apple implemented protections in the Messages app on iPhones.
Verizon plans to discontinue the ability for users to send text messages through email. The company expects to finish shutting down the feature by March 2027. This will eliminate one of the sources of the vulnerability.
The coordinated response shows how researchers and technology companies can work together. They can address security risks before they become threats.
Lessons For Users
The discovery highlights a reality. Many users assume that text messages are secure. They think the sender information displayed on their phone is always accurate. However this incident shows that such assumptions are not always correct.
The entire mobile messaging ecosystem relies heavily on trust. Most people believe that messages arriving on their phones have been verified and authenticated. In reality older technologies and hidden system interactions can create vulnerabilities.
Although the discovered flaw has been fixed the research serves as a reminder. Digital communication systems are constantly. Require ongoing security reviews.
Experts recommend that users remain cautious when receiving messages. Even if they appear to come from contacts, users should be careful. Suspicious requests involving money, personal information, passwords or urgent actions should always be verified through another communication channel.
The study received a Distinguished Paper Award at the IEEE Symposium on Security and Privacy. It recognized the contribution to improving mobile communication security. It protects millions of smartphone users from impersonation attacks.