Google Says Disconnect These Mobile Networks — A Defender’s Checklist to Mitigate Mobile Attacks

Hook: Stop Losing Time and Trust to Mobile Attacks — Act on Google's Warning Now

Security teams and IT admins are drowning in alerts while adversaries quietly exploit a predictable attack surface: mobile networks and the protocols that connect devices. Google’s late‑2025 advisory on evolving text‑based scams is a timely alarm — but words alone won't protect your organization. This checklist translates that warning into immediate, prioritized controls for admins and pragmatic steps for users to reduce the risk of mobile attack, SIM swap, and IMSI‑catcher compromises.

Topline: What to Do First (Inverted Pyramid — Highest Impact Actions)

1. Block legacy radio standards where feasible: disable 2G/3G fallback on managed devices and enforce LTE/5G only profiles.
2. Eliminate SMS as primary MFA: require FIDO2/security keys or passkeys and move away from OTP via SMS.
3. Harden carrier account controls: enable carrier port freeze/transfer lock and require account PINs for SIM changes.
4. Enforce enterprise network policies: restrict roaming, allowlist SSIDs, require managed VPNs and DNS filtering for all mobile data.
5. Detect and respond: integrate SIM‑swap alerts, mobile telemetry, and carrier CTI into your SOC playbook.

Why This Matters Now — 2025–2026 Context

Google’s report in late 2025 documented a sharp evolution of text‑based scams into multi‑stage operations combining SMS, malicious links, cross‑platform social engineering and, critically, telecom abuses such as SIM swap and SS7/Diameter exploitation. In early 2026, threat actors increasingly leverage IMSI‑catchers (fake cell towers) and roaming manipulations to intercept messages and calls.

At the same time, industry trends increase exposure: widespread eSIM adoption means profile provisioning is a new attack vector, and continued global use of legacy cellular standards keeps downgrade attacks viable. Meanwhile enterprises are under pressure to support remote work and BYOD while meeting stringent compliance and incident response SLAs.

Google’s Warning — Key Excerpt

“Text‑based scams are evolving into a sophisticated, global enterprise designed to inflict devastating financial losses and emotional distress on unsuspecting victims.” — Google (late 2025 advisory)

Practical Mitigation Checklist — Admins and Security Teams

Use this prioritized checklist as a playbook for rapid deployment across your MDM/EMM, IAM, and SOC pipelines. Grouped by timeline for clarity.

Immediate (0–7 days)

• Disable SMS as a standalone MFA factor: update authentication policies to reject SMS OTP where alternatives exist; put an enforcement timeline and communication plan in place.
• Require device screen lock and SIM PIN: enforce via MDM; educate users to set a strong SIM PIN on both physical SIM and eSIM profiles.
• Enforce managed VPN for mobile data: require VPN for corporate network access and apply DNS filtering to block known scam domains.
• Push a carrier account checklist to users: instruct users to lock carrier accounts (port freeze) and set carrier account PINs.

Short Term (1–4 weeks)

• Disable 2G/3G fallback where possible: configure device profiles to prefer LTE/5G only; where device firmware allows, explicitly block legacy radios.
• Allowlist Wi‑Fi and block open networks: use network allowlists in MDM and disable auto‑join for unknown SSIDs.
• Block installation from unknown sources: enforce Play Store/App Store only on managed devices.
• Implement roaming/network blacklist by MCC/MNC: block attachment to suspicious international networks known for fraud or IMSI‑catcher activity (see implementation tips below).

Medium Term (1–3 months)

• Deploy FIDO‑first authentication: require passkeys or hardware security keys for privileged users and high‑risk roles.
• Integrate carrier telemetry and port‑out alerts: subscribe to carrier APIs or third‑party services that issue SIM swap and port‑out alerts into your SIEM.
• Remove SMS from sensitive workflows: redesign onboarding, password resets, and transaction approvals to avoid SMS.
• Enable advanced logging for mobile endpoints: increase telemetry for mobile apps, including network attachment metadata (MCC/MNC, cell IDs) where privacy policy allows.

Long Term (3–12 months)

• Work with carriers on operator‑level controls: negotiate port‑out verification, carrier‑side monitoring, and fraud prevention SLAs for enterprise numbers.
• Adopt secure eSIM provisioning practices: limit eSIM profile installs to managed provisioning channels and require device authentication.
• Monitor and block SS7/Diameter abuse: collaborate with CTI partners and carriers to detect signaling anomalies and route suspicious traffic for analysis.
• Run mobile red team scenarios: validate controls with targeted SIM swap, IMSI‑catcher, and SMS‑phishing simulations.

Networks and Protocols to Block or Monitor

Not every operator‑level control is available to device admins, but you can create effective mitigations by combining device settings, MDM policies, and carrier partnerships.

Primary Targets

• 2G (GSM) and 3G (UMTS) radio standards: these lack modern cryptography and are often exploited for downgrade attacks and IMSI‑catcher interception. Where your devices and carriers support it, disable 2G/3G fallback and prefer LTE/5G only.
• SS7 signaling exposure: SS7 itself is operator infrastructure — you cannot block it on a device. Instead, monitor for anomalous signaling via carrier partners and apply strict verification for any telecom‑originated MFA flows.
• Insecure SMS and unencrypted over‑the‑air telemetry: treat SMS as untrusted. Avoid sending secrets or one‑time links via SMS.

Network Blacklist Strategy

Network blacklists based on MCC/MNC are powerful for roaming control. Implement them carefully to avoid blocking legitimate business travel.

1. Use threat intelligence to identify high‑risk MCC/MNC combos (rogue MVNOs, flagged carriers in certain regions).
2. Deploy blacklists via MDM policies where supported (Android Enterprise OEMConfig or custom EMM configurations, per‑device network selection controls on iOS via supervised mode).
3. Fallback: require managed VPN or block network access when connected to unapproved roaming networks.

Device Settings — What Users Must Change Now

Communicate a short, non‑technical checklist to end users; pair it with an admin enforcement timeline.

User Checklist (Immediate Actions)

• Set a SIM PIN: enable and remember the PIN. For eSIMs, set a separate SIM lock if supported.
• Enable device encryption and screen lock: require a strong passcode and biometrics where available.
• Avoid SMS for account recovery: change account recovery options on major services to use authenticator apps or security keys.
• Disable automatic network selection for Wi‑Fi: turn off auto‑join to public networks and avoid open Wi‑Fi for corporate access.
• Check carrier settings for account transfer protections: enable port freeze, port passphrase, or equivalent features offered by your carrier.

Enterprise Mobile Controls — MDM/EMM Configuration Examples

Below are implementation patterns that security architects can map to their chosen EMM: Microsoft Intune, VMware Workspace ONE, MobileIron (Ivanti), Google Endpoint Management, etc.

Policy Patterns

• Network Allowlist Mode: configure Wi‑Fi allowlist and set device to block other SSIDs for managed profiles.
• Radio Mode Enforcement: for fleets that do not require 2G/3G, enforce LTE/5G only via OEMConfig or vendor APIs (Samsung Knox, Android Enterprise OEM settings).
• Application Control: prevent sideloading, require Play Protect verification, and only allow approved messaging apps inside the work profile.
• SIM/eSIM Management: require device attestation before provisioning an eSIM profile; block user‑initiated profile additions for managed devices.
• VPN & DNS Enforcement: force VPN with DNS filtering and TLS inspection where policy and privacy allow.

Telemetry and Detection

Collect and forward the following mobile telemetry to your SOC:

• Network identity metadata (MCC/MNC, Cell ID, TAC) where privacy policy permits
• SIM change or swap events from the device and carrier
• App installations/uninstallations and SMS to critical apps (no content—metadata only)
• VPN disconnects and unexpected roaming transitions

Incident Response: SIM Swap and IMSI‑Catcher Playbook

When an event is suspected, act fast. Time is the adversary’s ally in SIM swap scenarios.

SIM Swap — Rapid Steps

1. Immediately lock affected accounts: block sign‑ins and revoke sessions (SAML/OAuth refresh token revocation).
2. Contact carrier & request a port freeze/restore: escalate via enterprise carrier relationship channels.
3. Require out‑of‑band verification for all transactions for the user until cleared.
4. Collect device telemetry and cell attachments for forensic analysis.
5. Reset MFA methods for the user to hardware keys or app‑based authenticators after verification.

IMSI‑Catcher Detection & Response

Detection on devices is imperfect. Treat physical IMSI‑catcher presence as high‑severity and apply a containment strategy.

• Move the user to a different physical location immediately and force a network re‑attach.
• Require device reboots and re‑authenticate carrier attachment in a controlled environment (e.g., office with managed Wi‑Fi).
• Collect cell tower metadata and work with carrier to trace suspicious base station identifiers.
• For high‑value targets, consider temporary device quarantine and re‑provisioning.

Real‑World Example (Case Study)

At defenders.cloud, a client (global finance firm) experienced a near‑miss where a targeted executive received credential‑harvesting SMS followed by a rapid SIM port‑out attempt. They had already migrated to passkeys for corporate access and enforced port‑out protection at the carrier level. The SIM port was halted by the carrier after an automated port‑out alert and the attacker failed to bypass the passkey requirement. Lessons learned:

• SMS‑less authentication plus carrier port freeze stopped the incident.
• Telemetry and a pre‑established carrier escalation path enabled a rapid response.
• Simulation testing exposed gaps in personal number protection for executives; policy was updated to include corporate account backups.

Advanced Strategies and 2026 Predictions

Looking ahead through 2026, defenders should prepare for these trends:

• Greater eSIM exploitation attempts: as eSIM APIs mature, attackers will attempt social engineering and supply‑chain vectors to add or swap profiles.
• Operator‑level cooperation increases: regulators and carriers will be pressured into faster port‑out controls and standardized fraud APIs — security teams should formalize carrier agreements.
• AI‑driven SMS/phishing: adversaries will use generative models to craft personalized SMS lures at scale; detection will require behavioral and contextual analysis, not just signature checks.
• Hardware keys become mainstream: expect broader enterprise adoption of FIDO2 and passkey mandates as primary mitigation against SIM‑based takeover.

Policy Snippets You Can Adopt Today

Copy these high‑level policy lines into your mobile security policy and adapt to your environment.

• "SMS is not allowed as a primary MFA method for any privileged or SSO‑enabled account. Exceptions require documented compensation controls."
• "Managed devices must enable SIM PIN and be enrolled in the corporate MDM prior to connecting to corporate resources."
• "Devices will not connect to roaming networks flagged as high‑risk by the Security team; violations trigger conditional access lockdown."
• "All corporate numbers will be registered with carrier port‑out protection services and monitored via automated alerts."

Implementation Tips by Platform

Android (Enterprise)

• Use Android Enterprise policies to enforce network allowlists, disable unknown sources, and restrict radios via OEMConfig where vendor supports LTE/5G only modes.
• Leverage Managed Play and work profile separation to block personal SMS from accessing corporate apps.

iOS (Supervised)

• Use supervision to allowlist Wi‑Fi, require managed VPN, and restrict eSIM profile additions on corporate devices.
• Enforce device compliance through Conditional Access via Intune or MDM of choice.

Metrics to Track — Prove ROI

• Number of port‑out/SIM swap alerts processed and time to containment.
• Percentage of high‑risk users using FIDO2/passkeys.
• Reduction in SMS OTP usage across corporate accounts.
• Incidents linked to IMSI‑catchers or rogue base stations detected (and traced with carriers).

Limitations and Realities

No single control eliminates mobile risk. Some points to be candid about:

• Device‑level detection of IMSI‑catchers is unreliable on modern locked OSes; carrier collaboration is essential.
• Blocking entire radio standards may break legacy IoT devices — plan exemptions with compensating controls.
• End‑user convenience is a friction point; communication and phased rollout reduce pushback.

Actionable Takeaways — What to Do This Week

1. Push a mandatory SIM PIN+device encryption policy for all managed devices.
2. Announce a phased ban on SMS as primary MFA and start enrolling users in passkeys or security keys.
3. Enable managed VPN and Wi‑Fi allowlist; block open networks for corporate access.
4. Contact your enterprise carrier rep to set up port‑out protection and SIM swap alerts.

Closing — Don’t Treat Google’s Warning as Optional

Google’s late‑2025 advisory is not an abstract caution — it reflects a tactical shift by attackers who combine text‑based scams with telecom abuse. As defenders, you can respond immediately with device settings, enterprise controls, and stronger authentication to move the needle on risk.

Start with the highest impact items: remove SMS from critical authentication paths, enforce SIM locks and managed VPNs, and lock down radio fallbacks. Pair those with carrier agreements and telemetry ingestion for detection and rapid incident response.

Next Step (Call to Action)

Need a rapid deployment checklist tailored to your environment? Contact defenders.cloud for a 2‑week mobile threat hardening engagement: we’ll audit your current mobile posture, deploy prioritized MDM policies, and integrate carrier‑based SIM swap detection into your SOC playbook. Protect your users and critical accounts before the next mobile attack hits.

Related Reading

• The Carbon Footprint of Micro‑Mobility: Are Fast, Powerful Scooters Really Greener?
• What 'You Met Me at a Very Chinese Time of My Life' Really Says About American Nostalgia
• How to Use Music to Hold Space for Difficult Emotions: A Practical Guide
• Media Consolidation 2026: What Banijay + All3 Means for Local Producers and Freelancers in Bahrain
• Virtual Fit, Real Tailoring: How Omnichannel Retail is Redefining Measurements and Alterations