By an experienced network and service assurance team.
Most fraudulent text messages still arrive the boring way: cheap, high-volume SMS sent from overseas through unsuspecting routes. But a more sophisticated threat has been spreading across mobile networks: the SMS blaster.
An SMS blaster is, in effect, a mobile network in a car trunk. It carries its own RAN and core, mimics a legitimate operator, and forces nearby phones onto a fake cell long enough to push fraudulent texts — then hands them back to the real network and drives off. Because the spam never crosses the operator’s SMSCs, traditional content-filtering tools see nothing.
This is the story of how some of Polystar’s long-standing customers turned their core network telemetry into a national defense against this kind of attack.
In this market, the operator runs a complex shared infrastructure with many RAN & Core vendors operated by multiple companies. That fragmentation makes it hard to:
Collect consistent radio-side telemetry across all vendors and partners.
Build a single national view of mobility anomalies, handovers and failures.
Spot devices that broadcast fake cells for less than a minute at a time.
Other markets have tackled SMS blasters using RAN-vendor systems. In a multi-operator, multi-vendor environment, that approach would have meant blind spots and impractical integration.
Working with Polystar, they built detections on three signals already flowing through its Osix Monitoring and Kalix Analytics.
Spam reports forwarded by subscribers to the global short code, with no matching SMS in network logs — strong evidence the message came from outside the real network.
Tracking-area updates that referenced “previous systems” not present anywhere in the operator’s configuration — a sign the device had briefly camped on a fake cell.
Handover failures involving non-existent target cells, which cluster geographically wherever a blaster operates.
Because Polystar taps at the S1 interface, the operator captured rich metadata — source cell, target cell, tracking area, identifiers — across all RAN vendors and partners in a single, consistent view. No vendor-specific portal could have done that.