Future Generation Computer Systems 108 (2020) 803–815

Contents lists available at ScienceDirect

Future Generation Computer Systems

journal homepage: www.elsevier.com/locate/fgcs

Smishing Detector: A security model to detect smishing through SMS

content analysis and URL behavior analysis
∗
Sandhya Mishra , Devpriya Soni
Jaypee Institute of Information Technology, Sector-128, Noida, India

article info a b s t r a c t

Article history: Smartphone’s popularity and their constant connectivity to the World Wide Web have made these
Received 15 July 2019 devices vulnerable to phishing and smishing attacks. Phishing is a practice of sending malicious
Received in revised form 20 February 2020 emails to users. Smishing is a combined form of SMS and Phishing in which invaders send SMS
Accepted 7 March 2020
containing malicious content to the victim. This content sometimes includes links which redirect the
Available online 12 March 2020
user to websites containing malicious applications and user interfaces. Researchers have proposed
Keywords: various methods in past years to detect smishing but still, we lack a method that significantly avoids
Smishing false-positive results i.e. falsely categorizing a message as malicious when it is genuine. Hence, we
Phishing have proposed a model called ’Smishing Detector’ to identify smishing messages while reducing
Text messaging false-positive results at every possible step. The proposed method consists of four modules, namely,
Mobile security
SMS Content Analyzer, URL Filter, Source Code Analyzer and Apk Download Detector. SMS Content
Machine learning
Analyzer analyzes the text message contents. Naive Bayes Classification Algorithm is used to identify
SMS
the malicious contents and keywords present in the text message. URL Filter inspects the URL to
identify malicious features. Source Code Analyzer examines the source code of the website to identify
the harmful code embedded in it. Form tag and URL domain present in the source code are also
inspected in this module. APK Download Detector identifies whether any malicious file is downloaded
while invoking the URL. User consent taken while downloading the file is also inspected in this
module. Finally, we have developed a prototype of the proposed system which has been validated
with experiments on SMS datasets. In this paper, we have demonstrated the results of each module
separately and also we have demonstrated the final results. The results of the experiments show an
overall accuracy of 96.29%. We have compared this model with other models proposed by various
researchers and we have found that this model covers more security aspects as compared to other
models.
© 2020 Elsevier B.V. All rights reserved.

1. Introduction by 2021 [2]. Currently, the Android operating system by Google

The development and growth of Information Technology have
led us to connectivity through the Internet and increased usage
of smartphones. The data shows [1] smartphones are becoming
more and more lavish and Smartphone users are accessing the In-
ternet all over the world. Companies like Facebook and Google are
striving continuously to make the Internet a more fascinating
utility. As technology gets cheaper, the number of smartphones
and Internet users will keep on increasing. The rapid growth
of Internet users has lead to a huge increase in incidents of
cybercrimes like phishing and smishing. In 2017, the number
of mobile Internet users in India was 351 million. In 2018, the
number of users who accessed the Internet through mobile in
India was 390 million and is expected to reach almost 469 million
∗ Corresponding author.
E-mail address:
is the most popular mobile operating system [3], whose market
share is greater than 80%. Due to its popularity and lax security,
Android-based smartphones are becoming the main target for
attackers. User privacy is becoming an important issue in Android
devices as users are keeping their crucial information like debit
card and credit card details in an Android device. Attackers aim
to steal user’s private information such as user credentials and
financial details by masquerading as a legitimate entity. Mobile
device users are more prone to phishing attacks due to the
following reasons [4]:
• Users are not able to check the legitimacy of a webpage
within the small display of mobile devices because URL
addresses are not fully visible within the small display of
mobile browsers.
• Mobile users lack awareness about the risks that they might

[email protected] (S. Mishra). face as a result of adopting less secure behaviors and most

https://doi.org/10.1016/j.future.2020.03.021
0167-739X/© 2020 Elsevier B.V. All rights reserved.
804 S. Mishra and D. Soni / Future Generation Computer Systems 108 (2020) 803–815
of the mobile users lack knowledge about security options
that can be utilized to avoid phishing attacks.
• Mobile users are in a habit of entering their credentials
whenever asked. Several surveys conducted by other au-
thors observed that [5] 40% of Smartphone users enter their
passwords into user interfaces at least once. This makes the
attacker to come up with fake user interfaces of legitimate
websites to obtain the personal and financial credentials of
the Smartphone user.
Short Message Service i.e. SMS is very popular among mobile
phone users. In India, the usage of smartphones has increased
rapidly and people have found text messaging the way to com-
municate. As text messaging is the most economical option avail-
able to reach masses, it is extensively used for offering purchase
points of interest and as an advertising medium. Approximately
9132 lac text messages are sent every hour across the world [6].
This increasing use of text messages makes it highly favorable
for attackers. More than 90% of SMS messages are opened within
3 seconds [6]. This shows that users feel a sense of urgency
which is essential for targeting an attack. SMS phishing is an
attack, in which an attacker sends a text message to the user,
and that message contains phone numbers or email ids of the
attacker or it contains links to malicious web pages, applications
or user interfaces that prompt the user to enter their credentials.
Users reveal their significant information like user id, password
and credit card information through these user interfaces. The
attackers acquire user’s sensitive information like contact num-
bers, photos, etc along with monetary gain through this attack.
Attackers prefer using SMS instead of email for Phishing [7]
because of the following reasons:
• Text messages have higher response rates from users in
comparison to emails.
• As sending SMS is an economical option, attackers are able
to send SMS in bulk at reduced rates to the victims with a
cheap SMS package.
• Users find it difficult to identify whether the URL is a gen-
uine URL or phishing URL by gazing at the link contained in
the text messages [7].
SMS Phishing is also known as Smishing which is a compound
word of SMS and Phishing. David Rayhawk of McAfee used the
word ‘‘SMISHING’’ for the first time on August 25, 2006. Smishing
or text message-based phishing involves sending malicious SMS
to the user through which the user is prompted to send his
sensitive information to smisher. Smisher is an attacker who
uses SMS for phishing. Malicious activities of a smishing SMS
are categorized in Fig. 1. A Smishing SMS contains any of the
following activities [8]:
• Embedded URL: In this technique, the attackers send a text
message to victims by inserting a URL into it. An example of
a Smishing message [9] containing URL is shown in Fig. 2(a).
Once the user reads the messages and click the URL, the
following activities are initiated:
• The malicious code embedded in the URL installs into
the victim’s phone.
• Some URL redirects the user to a malicious phishing
website which looks similar to a legitimate website
and prompts the user to fill user credentials or credit
card details in the form provided.
• *.apk file is downloaded into the victim’s phone which
turns out to be malware and it causes malicious activ-
ities later on.
Fig. 1. Malicious activities of a smishing SMS.
• Phone number and/or Email address: The attackers sends an
SMS to the victim declaring free coupons, discounts or free
gifts along with a phone number or email id mentioned in it
so that the victims contact the attacker on the phone num-
ber or email address and gradually attackers request their
credentials. Example of smishing messages [9] containing
phone number and email id is shown in Figs. 2(b) and 2(c).
• Self-Answering SMS: The attackers send a self-answering
message to the victim asking the user to Subscribe or Un-
subscribe a service. These links redirect the user to malicious
websites.
During smishing, attackers design the user interface wisely so
that the user is unable to identify the minor differences between
a legitimate website and fake website created by the attacker.
They copy the source code of the legitimate website to create a
fake web page that will look similar to a legitimate web page but
these websites could re-direct the user to other malicious links.
Also, attackers modify the URL to create a fake URL that looks like
URL of a legitimate website. The attacker misplaces a character or
misspells the URL to redirect it to a malicious website or file.
The literature survey reveals that there are a few strate-
gies proposed by previous researchers to distinguish smishing
SMS from legitimate SMS. While analyzing the existing methods,
we found that most of them used the blacklist approach [10],
whitelist approach and heuristic approaches [11,12] to detect
smishing attacks. However, the blacklist method is not efficient
because URL domains of smishing messages are changed fast (age
of the domain is very less) and they use URL shortcut service
(short URL). So attackers keep on changing the domain name
frequently for phishing attacks which makes the blacklisting
technique ineffective. Some researchers have used a heuristic
approaches but features of an SMS content alone cannot de-
termine it is smishing or not. The presence of some keywords
and URL in the message may indicate a smishing but it might
be a legitimate message sent by an online shopping website
or mobile service provider. It can be a spam message but it
cannot be categorized as a smishing message until and unless we
find that the URL is redirecting the user to a malicious website
trying to steal the credentials of the user or it is downloading
a malicious file automatically. If we classify the spam message
as a smishing message, it indicates a false-positive result. False-
positive results can be defined as incorrectly labeling a legitimate
SMS as smishing SMS. It is essential to check the authenticity
of the URL contained in a message before categorizing it as
smishing [8]. The existing methods proposed by other authors
for detection of smishing messages have some limitations. So, it
is essential to come up with a new and efficacious method that
identifies smishing messages avoiding false-positive results.
Hence, we proposed a model called Smishing Detector based
on SMS content Analysis and URL behavior analysis that has low
 S. Mishra and D. Soni / Future Generation Computer Systems 108 (2020) 803–815
Fig. 2. Examples of Smishing messages.
false-positive results. We have done the content analysis of the
smishing SMS and have also analyzed the behavior of the URL
included in it. We have analyzed the source code of the URL to
check its malicious behavior and re-directions.
What we propose in this paper:
• A method that can detect Phishing initiated through text
messaging.
• An embedded APK Download Detector module which veri-
fies the behavior of the URL included in the SMS.
• A Source Code Analyzer module that inspects the legitimacy
of the Source code and its re-directions.
• A user interface which helps the user to select or skip the
various steps involved in detecting the Smishing SMS in case
if the user is already aware of the legitimacy of the text
message.
• To experiment with a real-time application of the system, a
prototype of the system is developed and the results of the
model are verified using SMS datasets.
The remaining part of this paper is arranged as follows: A
summary of the research work done by other authors in this
field is discussed in Section 2. Our proposed system is presented
in Section 3. The architecture and flowchart of the model are
depicted in Sections 3.1 and 3.2 respectively. Section 4 explains
the results of the experiments conducted on the prototype of the
proposed system. A comparison of the suggested system with
other related works is presented in Section 5. The Conclusion of
the proposed work is given in Section 6.
2. Related work
In recent years, researchers are focusing more on smishing due
to its popularity in mobile attacks. Some researchers have pro-
posed models to detect smishing messages [10,11,13–17]. Some
of the spam detection models which used similar approaches
are also discussed here [18,19]. Many researchers have discussed
smishing strategies and smishing detection approaches to bring
awareness among users and researchers [20–23]. This section
gives an overview of various research work presented by other
authors in the context of Smishing. As smishing is a category of
phishing and similar techniques are used for phishing detection,
we have discussed some phishing detection approaches [12,24–
28].
In a smishing study proposed by Joo et al. [13], the author
suggested a system called ‘S-Detector’ for identifying smishing
805
messages. S-Detector contains four components, namely, SMS
monitor, SMS analyzer, SMS determinant, and Database. This
model inspects the URL to analyze whether .apk file is down-
loaded or not. If an executable file is downloaded, the SMS is
categorized as smishing. They have used the Naive Bayes clas-
sification algorithm to analyze the contents of the messages.
Another study proposed by [14] suggested a rule-based method
for identifying Smishing messages. They have identified nine rules
to filter smishing messages from legitimate messages. Further,
these rules were trained using different classification algorithms
like Decision Tree, RIPPER, and PRISM. The performance evalua-
tion of the approach shows more than 99% true negative rate. A
research work proposed by Sonowal et al. [11] proposed a model
named SmiDCA for detecting smishing messages using a machine
learning approach. The proposed model extracted 39 features
from smishing messages using correlation algorithm. Machine
Learning algorithms were used and experiments were conducted
on different datasets. Experimental evaluation of SmiDCA dis-
played an accuracy of 96.40% using Random Forest classifier. Goel
et al. [10] proposed a smishing detection system called ‘smishing
classifier’ for identifying Smishing messages. This system inspects
the contents of the SMS and SMS keywords using Naïve Bayesian
Classifier. The proposed framework verifies the existence of URL
in SMS and it also inspects the mobile number of the sender.
Further, login page appearance and download of APK file are also
evaluated in this model. A. Kang et al. [15] discussed various
types of phishing and smishing attacks. They have proposed a URL
validation test to check the authenticity of the URL included in
the message. They have also discussed the smishing box approach
as a security measure against downloaded applications during a
smishing attack. In another work proposed, the author [16] used a
content-based approach to detect smishing messages. A machine
learning algorithm is used for identifying the most frequently
used keywords in smishing SMS. Further, the appearance of the
login page and downloading of the .apk file is also evaluated
in this model to inspect the maliciousness of the URL. A recent
work proposed by Ankit et al. [17] proposed a feature-based
model for detecting smishing messages using a machine learning
approach. The proposed model extracted some features of smish-
ing messages and analyzed the results using 5 Machine Learning
algorithms on the same dataset. Experimental evaluation of this
model displayed an accuracy of 98.74%.
Some authors have proposed spam SMS detection model using
similar approaches. In a study presented by Yadav et al. [18],
the author presented ‘SMSAssassin’ a spam SMS detection model
806 S. Mishra and D. Soni / Future Generation Computer Systems 108 (2020) 803–815
using the Naive Bayes algorithm and Support Vector Machine
(SVM). Authors have used crowd sourcing to keep the spam
database updated. Users having SMSAssassin application on their
mobile device can use the spam messages identified on their
device to update the Spam Keyword Frequency list to enhance the
performance of the system. The authors have also presented [19]
the design and implementation of SMSAssassin which performs
machine learning-based SMS content filtering to distinguish spam
messages. They have designed and implemented an Android ap-
plication which categorizes and handles different kind of mes-
sages which makes the SMS management simple for the user.
This application also offers an interface to select the notification
preference to the user.
Some researchers have discussed phishing and smishing de-
tection approaches to bring awareness among users and re-
searchers. Foozy et al. [20] proposed taxonomy of phishing detec-
tion on a mobile device. They have stated and elaborated various
phishing techniques like Bluetooth phishing, SMS phishing, voice
phishing, and mobile application phishing. The researchers also
compared and evaluated various phishing detection techniques.
Hossain et al. [21] elaborated various types of phishing attacks.
They have also discussed various phishing mitigation techniques
and best policies which should be followed to prevent phishing
attacks on mobile devices. Their work is aimed at bringing more
security awareness to mobile users. Diksha et al. [22] presented
a detailed study of phishing attacks. They have discussed var-
ious mobile phishing attacks conducted by attackers and their
countermeasures. They have also discussed the taxonomy of
phishing solutions, techniques used by authors, various chal-
lenges involved in the detection of phishing attacks and they
have also elaborated various phishing datasets. In a recent work,
Sandhya et al. [23] discussed various smishing attacks performed
by attackers. Author has also suggested some policies which can
be adopted by the user to deal with the smishing attacks. Vari-
ous techniques and methodologies used for mitigating smishing
attacks are also discussed in this paper.
In a study to detect phishing websites, the author [24] pro-
posed a model called ‘PhiDMA’, incorporating five layers. They
have also implemented a sample of this system which offers
an interface for visually impaired persons. Experimental results
have shown an accuracy of 92.72%. Wu et al. [25] proposed
a phishing detection technique called ‘‘MobiFish’’ that detects
phishing attacks on mobile devices. For mobile applications, they
have designed ‘‘AppFish’’ and for mobile web pages, they have
designed ‘‘WebFish’’. The proposed method examines the URL,
the IP address of the URL and HTML source code of the website
to detect the maliciousness of the webpage. Zhang et al. [26]
proposed a system that uses the features of phishing URLs, such
as hosted features and lexical features to inspect the URL. They
have used a machine learning classifier to detect the phishing
sites on the basis of the selected features. They have shown
high accuracy of their proposed system by experimenting it on
multiple datasets. Mohammad et al. [27] suggested a phishing
website classification system. They have investigated 17 efficient
features for the detection of phishing websites and developed a
new rule for each feature. They have considered the frequency of
each feature in their datasets to identify the most popular feature
in the detection of phishing websites.
A novel system proposed in [28], called CANTINA which is a
content analysis method to detect phishing websites using TF–IDF
measures. TF–IDF score is calculated for each word in a document
and then five words with the highest values are selected. A lexical
signature is found on the basis of selected words, which is fed
into a search engine. If the domain name of N top search results
matches the domain name of the current web page, authors
declared it as legitimate website else phishing website. Sophie
et al. [12] suggested a heuristic approach for detecting phishing
websites. Based on the characteristics of phishing URLs and web
pages, they have defined 20 heuristics tests. They have also de-
veloped an active anti-phishing toolbar called Phishark. From the
experimental results, they have shown that the combination of
URL-based features and HTML-based features is very effective in
distinguishing legitimate websites from phishing websites.
The existing methods proposed by other researchers used
rule-based approaches [10,13,14,16] and heuristics approaches
[11,12] to detect smishing attacks. Rule-based approaches in-
cluded some rules which covered the flow of smishing attacks
and its re-directions. But rule-based approaches do not cover
the different versatilities of the smishing attacks. Heuristic ap-
proaches analyze the contents of the text message. Applying
machine learning algorithms on SMS contents only does not
detect the versatile smishing trends. We strongly feel that it is
necessary to analyze the behavior of the URL link present in the
text message for the detection of smishing.
3. Proposed work
3.1. Architecture of the proposed system
The proposed model is a Smishing detector which is comprised
of 4 modules, namely; SMS Content Analyzer, URL Filter, Source
Code Analyzer and Apk Download Detector as depicted in Fig. 3.
SMS Content Analyzer verifies the presence of URL, self an-
swering link (SAL), phone number and email id in the SMS.
Messages containing URL or SAL are transferred to URL Filter.
Messages containing email id and phone number are processed
for blacklist check. Then messages are forwarded for text pre-
processing. Text pre-processing is conducted to convert the text
into a form that can be used for text analysis. Text pre-processing
includes removing all punctuations and special strings, converting
each word to lower case, splitting words to tokenize, stemming
i.e. converting each word to its root form and preparing a word
vector corpus. Then we categorize the messages on the basis
of keywords present in it. Keywords contained in the message
are classified using TfidfVectorizer and Naive Bayes classifier.
TfidfVectorizer converts each word in the message to the feature
index in the feature vector matrix. In each vector, the numbers
represents the TF–IDF score of each word selected as a feature.
These feature vectors are used as input to Naive Bayes Classifier.
Naive Bayes Classifier predicts the result based on the learning
from the feature vector matrix.
URL Filter first converts the short URL to Long URL. Then,
it looks for the URL in Blacklist. URL found in the blacklist is
categorized as Smishing. In the next step, URL Filter verifies four
features of the URL, namely, the age of domain, presence of @tag,
presence of hyphen and number of dots present in the URL to
check the authenticity of the URL. If the threshold of the above
features is greater than or equal to three i.e. 75% or above, then
we categorize the message as smishing. If the threshold is less
than three, we pass on the URL to Source Code Analyzer.
Source Code Analyzer verifies the presence of any form tag
in the source code. If form tag is present in the source code,
Source Code Analyzer compares the domain of the request URL
in source code with the domain of the actual URL invoked. If the
domain is different, the message is classified as Smishing. On the
other hand, if the domain is same, the URL is transferred to APK
Download Detector.
APK Download Detector checks for any file downloading while
invoking the URL. This checking is actually carried on by the
proposed system without visiting the website. The base name
of actual URL is extracted to assess whether it contains .apk
extension as part of the base name. This process does not in-
volve invoking the URL or downloading the APK file. It also
 S. Mishra and D. Soni / Future Generation Computer Systems 108 (2020) 803–815
Fig. 3. Architecture of the Proposed System.
checks whether the file is downloaded with user permission
or not. Sometimes files are downloaded after re-direction of
web pages on phishing websites. Our model also checks for APK
downloading after re-direction of the web pages.
3.2. Flowchart of the proposed system
In this section, we elaborate on the flow of the proposed
system. The flowchart of SMS Content Analyzer is shown in Fig. 4,
URL Filter in Fig. 5, then Source Code Analyzer in Fig. 6, and finally
APK Download Detector is depicted in Fig. 7.
3.2.1. SMS Content Analyzer
SMS Content Analyzer analyzes the contents of the message
as depicted in Fig. 4. The entire working scenario of SMS Content
Analyzer is drafted in the following steps:
Step 1(a): When an SMS is received, it is passed on to SMS
Content Analyzer (Fig. 4). Here, the SMS content is analyzed and
the system verifies the existence of URL or SAL (Self Answering
Link) in the message. If URL or SAL is present in the SMS, then
the message is processed to URL Filter (Step-2(a)).
Step 1(b): If URL or SAL does not exist in the SMS, we check
for the presence of email id or phone number in it. If the phone
number or email id is not present in the message, it is classified
as legitimate message.
Step 1(c): If the phone number or email id is present in
the SMS, then system checks for email id and phone number
contained in the message in the corresponding blacklists. If phone
number or email id contained in the message does exist in the
blacklist, message is categorized as smishing.
Step 1(d): If email id or phone number is not present in
the blacklist, then the system analyzes the keywords present
in the message to classify the SMS using the machine learning
algorithm.
Step 1(e): If the prediction of the algorithm is malicious based
on the learning, message is classified as Smishing else it is classi-
fied as legitimate message.
As shown in Fig. 1, a smishing SMS contains either a URL, a self
answering link, a phone number or an email id in it. According to
our study, without any of these items, an SMS is not expected to
cause any malicious activity. Presence of malicious keywords may
indicate a spam SMS or an advertising campaign but it cannot
807
Fig. 4. Flowchart of SMS Content Analyzer.
be Smishing. So we are checking for the presence of smishing
keywords only when there is the presence of phone number or
email id in the SMS. On the other hand, if keywords are not
malicious, it might be a phone number or email id forwarded by
a known sender. So, it might be a legitimate SMS. Hence, we are
trying to eliminate false positive results at every possible step. If
a URL is present in the message, we further analyze the behavior
of the URL to come to a conclusion. A sender in contacts list might
forward a malicious link without knowing its maliciousness. So all
the links forwarded by known contacts also need to be analyzed
for maliciousness. So we are not considering the factor of ‘sender
in contacts list’ for our SMS filtering. This helps in avoiding false
negative results.
3.2.2. URL Filter
URL Filter analyzes the URL contained in the message as de-
picted in Fig. 5. The entire working scenario of URL Filter is
drafted in the following steps:
Step 2(a): In URL Filter (Fig. 5), short URL is converted to long
URL.
Step 2(b): Now, system check for the presence of URL in
blacklist. If it does exist in the blacklist, then the message is
categorized as a Smishing message.
Step 2(c): If the URL does not exist in the blacklist, URL Filter
verifies four features of the URL, namely, age of domain, presence
of @tag, presence of hyphen and number of dots present in the
URL to check the authenticity of the URL.
Step 2(d): If the threshold of the above features is greater than
or equal to three, then message is categorized as smishing else
if the threshold is less than three, URL is handed over to Source
Code Analyzer (Step-3(a)).
In URL Filter, we are checking for presence of URL in blacklist.
URL blacklist is constructed from PhishTank [29], which is a
website where users and researchers can share phishing data.
But most of the URLs are not available in blacklists as attackers
keep on changing the domains and blacklists are not updated
frequently. So we are inspecting the authenticity of the URL by
checking some malicious features of the URL and age of domain.
Age of domain is a significant factor for detection of phishing
sites as most of the phishing websites have an age of domain
less than 6 months as they frequently makes new domains. As
808 S. Mishra and D. Soni / Future Generation Computer Systems 108 (2020) 803–815

Fig. 6. Flowchart of Source Code Analyzer.

Fig. 5. Flowchart of URL Filter.

shown in Fig. 1, a malicious URL either prompts the user to fill

user credentials or sensitive information like credit card details
in a form provided or it downloads a malicious APK file which
might turn out to be malware. So, once URLs are filtered by the
URL Filter, Source Code Analyzer checks for the form tag in source
code first to ensure that the attacker is not prompting the user to
fill any form provided in the website. If form tag is not found, we
check for the malicious file download activity by passing the URL
to Apk Download Detector.

3.2.3. Source Code Analyzer

Source Code Analyzer analyzes the source code of the URL
without invoking the URL as depicted in Fig. 6. The entire working
scenario of Source Code Analyzer is drafted in the following steps:
Step 3(a): In Source Code Analyzer (Fig. 6), source code of the
URL is analyzed to check for the presence of form tag in it. If form
tag is not present in the source code, URL is processed to APK
Download Detector.
Step 3(b): If form tag is present in the source code, source code
is further analyzed to check whether the domain name of request
URL in the source code is different from the domain of the actual
URL. If the domain is different, message is classified as Smishing. Fig. 7. Flowchart of APK Download Detector.
Step 3(c): If the domain of the request URL is the same as the
actual URL, URL is transferred to APK Download Detector (Step-
4(a)) to further inspect the behavior of the URL.
Step 4(a): Now the APK Download Detector (Fig. 7) extracts
Source Code Analyzer inspects the source code of the target
the target URL of the actual URL.
URL without invoking the URL. This avoids any malicious activity
by the phishing website until the analyzing process is completed Step 4(b): If .apk extension is present in the target URL, the
and malicious URLs are identified. Form tag might be a login system checks whether user consent is taken while downloading
page of a legitimate shopping website which prompts the user to the file. If user consent is not taken, the message is declared as
fill user credentials. So, the presence of a form tag alone cannot a Smishing message. On the other hand, if user consent is taken,
predict maliciousness. Hence, we are matching the URL domain the message is regarded as a Legitimate message.
in the source code with the actual URL domain to check its Step 4(c): If an APK is not downloaded in first access, then
legitimacy which again helps us in reducing the false positive the system checks whether .apk extension is present in the target
results. For most of the legitimate websites, the domain name is URL after re-direction of the page. If yes, then we go to step-4(b)
same in the source code. to check for the user consent else if APK file is not downloaded
after the re-direction of the page, the message is regarded as
3.2.4. APK Download Detector Legitimate message.
The flowchart of APK Download Detector is depicted in Fig. 7. Apk Download Detector checks for any file download without
The entire working scenario of APK Download Detector is drafted invoking the URL to avoid any attack while accessing the URL.
in the following steps: If the file is downloaded after taking user consent, it might be
 S. Mishra and D. Soni / Future Generation Computer Systems 108 (2020) 803–815
Table 1
Popularity of features used in designing phishing websites.
Feature Frequency in %
Long URL 47.2
Age of Domain 93.5
Presence of hyphen (-) 29.4
Number of dots in URL 10.2
Form tag in source code 96.5
Difference in domain 98.3
APK Download 56.4
an application of any legitimate website like Flipkart or Pinter-
est. Hence, if user consent is taken, we regard the message as
legitimate. We are also checking for malicious file download after
re-direction of the page.
3.3. Popularity of features used in the system
In case of a URL is detected in the message, we used some
features of the phishing websites in order to detect the phish-
ing attack. Some features commonly used by the attackers in
designing phishing websites are identified. To find out which
feature is most popular in designing phishing websites, we calcu-
lated the number of appearance of each feature in the phishing
dataset [29]. The percentage of appearance i.e. frequency of each
feature used in our system is shown in Table 1. The results
showed that ‘Difference in domain’ is most popular feature in
designing phishing websites. Form Tag, Age of Domain and APK
download also appeared in most of the phishing websites with a
frequency of 96.5%, 93.5% and 56.4% respectively. That is why we
have tried to cater the features of higher percentage with utmost
care.
4. Implementation results and evaluation
In this section, we describe the implementation details and
evaluation results of the proposed system. A prototype of the
Smishing Detector is developed using python in Jupyter Note-
book. The system is developed into four parts, namely, SMS Con-
tent Analyzer, URL Filter, Source Code Analyzer and APK Down-
load Detector. Further, these four modules are integrated to get
a final prototype of the whole system. The system is finally
evaluated using the dataset. Dataset is collected from the research
work contributed by the author Almeida [30], a contribution to
the study of SMS Spam Filtering. This dataset contains a total
of 5574 messages in which 4827 are ham messages and 747
are spam messages. As per our research, smishing dataset is not
publicly available until now. But smishing message is a spam
message that strives to steal sensitive data from the user. So,
we have extracted some smishing messages from spam dataset
because smishing messages are part of spam messages. Also, we
have extracted 284 smishing images from pinterest.com [9]. We
have added these messages into the dataset after converting it
into text form. Our final dataset is a total of 5858 messages
which contains 538 smishing messages and 5320 ham messages.
Smishing detection is a binary classification problem in which
either a message is smishing or it is legitimate.
Fig. 8 depicts that the model has four interfaces: SMS Content
Analyzer, URL Filter, Source Code Analyzer and APK Download
Detector. SMS Content Analyzer displays the phone number of the
sender and the text message received. It provides three buttons
for the convenience of the user. If the user is already aware of
the genuineness of the message, then the user can tap the NEXT
button to skip the verification of the particular message and go
to next message or the user can tap the Go BACK button to go
to the previous screen. On the other hand, if the user is tapping
809
Table 2
Performance of machine learning classifiers.
Classifiers Precision Recall F1-Score Accuracy
Naive Bayes Classifier 0.93 0.92 0.92 91.6
Random Forest classifier 0.88 0.82 0.83 82.3
Decision Tree classifier 0.91 0.88 0.89 88.2
on VERIFY button, the message is evaluated by the SMS Content
Analyzer and the system displays the result and it redirects the
user to URL Filter screen. URL Filter and Source Code Analyzer
screen provide the user with the option of skipping that particular
step by tapping the SKIP button as shown in Figs. 8(b) and
8(c). APK Download Detector module can be skipped by tapping
on NEXT button which redirects the user to the next message.
Hence, the user can navigate to next message either from the SMS
Content Analyzer module or APK Download Detector module.
Fig. 9(a) shows a legitimate message identified by the pro-
posed system. This interface provides three buttons: READ But-
ton, NEXT Button and GO BACK Button. The message is recognized
as genuine by the model, hence, the user is permitted to access
the message by clicking the READ Button or user has the option to
tap the NEXT button to go to the NEXT message. Go Back button
navigates the user to the previous screen. Fig. 9(b) shows the
smishing message recognized by the system. As the message is
categorized as smishing by the model, the DELETE button deletes
the messages without navigating to the inbox, and the NEXT
button allows the user to move to the next message.
SMS Content Analyzer analyzes the text content of the SMS.
Here, we check for the presence of email id, phone number and
URL in the message. We segregated the messages based on its
contents. Fig. 10 shows the result of the SMS content analysis. Out
of 5858 messages, 5122 messages are segregated and declared as
legitimate messages in this stage, as they do not contain any of
the malicious contents like email id, phone number, or URL.
Text pre-processing is done on messages containing email id
and phone number. Text pre-processing is conducted to convert
the text into a form that can be used for text analysis. Text
pre-processing includes removing all punctuations and special
strings, converting each word to lower case, splitting words to
tokenize, stemming i.e. converting each word to its root form and
preparing a word vector corpus. Fig. 11 shows the results of the
text pre-processing module.
After text pre-processing, we categorize the messages on the
basis of keywords included in it. Keywords contained in the
message are classified using TfidfVectorizer and machine learning
classifiers. TfidfVectorizer converts each word in the message
to feature index in the feature vector matrix which is used as
input to machine learning classifiers. Machine learning classifier
predicts the result based on the learning from the feature vector
matrix. We have used three machine learning algorithms for
the classification and comparison purpose, namely, Naive Bayes,
Random Forest, and Decision Tree. We have evaluated our dataset
for keyword classification using these three algorithms and we
are getting the best results using Naive Bayes Algorithm for the
particular dataset.
The model evaluated the performance of three well-known
machine learning classifiers as depicted in Table 2. Fig. 12 show
the performance of machine learning algorithms. In this Figure,
the x-axis displays the machine learning algorithms, and the
y-axis displays the performance of the algorithms. For the im-
plemented dataset, Naive Bayes gives the best performance and
Random Forest gives the least performance.
Source Code Analyzer analyzes the presence of any form tag
in the source code of the URL. It fetches the actual URL of the
short URL provided. Then it accesses the source code of the
810 S. Mishra and D. Soni / Future Generation Computer Systems 108 (2020) 803–815

Fig. 8. User interfaces of Smishing Detector.

Fig. 9. Results displayed by Smishing Detector.

 S. Mishra and D. Soni / Future Generation Computer Systems 108 (2020) 803–815 811

Fig. 10. Results of text messages segregation based on its contents.

Fig. 11. Results of SMS text pre-processing done on messages containing email id and phone number.

actual URL without actually invoking the URL. Now, the system
search for a form tag in the whole source code. The result is
displayed according to the search outcome obtained. The result
of the procedure is depicted in Fig. 13.
APK Download Detector checks for any file download without
invoking the URL. Fig. 14 shows the whole procedure of per-
forming an APK Download Check. The first line shows the URL
which is in short URL. The second line shows the result of fetching
the actual link address from the short URL. The third line shows
extracting the file name of the file downloaded from the link
without taking user consent. If the file is downloaded without
user consent, the link is declared as malicious and hence the
message is categorized as SMISHING.
We have evaluated our dataset with 5-fold cross-validation
where we partition the data into 5 equally sized subsets or folds.
In the first iteration, first subset is used to test the model and rest
4 subsets are used to train the model. In the second iteration,
2nd subset is used as the testing set while the rest serve as the
training set. This process is repeated until each subset of the 5
folds has been used as the testing set. 5-fold cross-validation uses
80% of data for training purpose, and remaining 20% data for test-
ing purpose. After 5 iterations, our system gave a final accuracy
of 96.29%. Cross-validation results are depicted in Table 3.
The result of the prototype evaluated and experimented shows
that the model gives an accuracy of 91.6% using Naive Bayes
Classifier in SMS Content Analyzer module. Further, the model
shows a final accuracy of 96.29% after evaluating all four modules.
Hence, through our model evaluation, it is concluded that this
system is efficient in detecting smishing messages received in
mobile devices and thereby protecting the users from probable
threats.
As we have followed a flow based approach consisting of a
set of diverse rules, the attacker needs to breach each rules in
a module to reach the next stage in a particular module. We
have four modules in our system, it is almost impossible for the
attacker to predict the whole flow of the system, to circumvent
each of the diverse rules applied in each module and to reach to
the final decision stage. Hence, this model is a proof against the
attacker who is constantly trying to invent different techniques
to circumvent the smishing detection system.
812 S. Mishra and D. Soni / Future Generation Computer Systems 108 (2020) 803–815

Fig. 12. Performance of Machine learning algorithms for SMS keyword classification.

Fig. 13. Results of Form Tag check in the HTML Source code by Source Code Analyzer.

Fig. 14. URL Prediction on the basis of APK Downloading.

 S. Mishra and D. Soni / Future Generation Computer Systems 108 (2020) 803–815 813

Table 3
Cross-validation results of the Proposed Approach.

Table 4
Comparison of our proposed system with the existing researches.
Security S-Detector [13] Rule-Based [14] SmiDCA [11] Feature-Based [17] Proposed System
Requirements
Approaches Used Rule-Based Rule-Based Heuristic-based Feature Machine learning Rule-Based Flowchart
Flowchart selection classification of SMS
Features
Classification Naive Bayes Decision Tree, RIPPER Random Forest, Decision Logistic Regression, Naive Bayes
Approach and PRISM Tree, AdaBoost and SVM Neural Network, Random
Forest, Naive Bayes and
SVM
Dataset Used Not Specified Almeida [30]-spam Almeida [30]-spam Almeida [30]-spam Almeida [30]-spam
dataset manually filtered dataset of 5574 dataset manually filtered dataset manually
to make a new smishing messages of which 747 to make a new smishing filtered to make a new
dataset of 5169 are spam messages and dataset of 5169 smishing dataset of
messages of which 362 4827 are ham. messages of which 362 5858 messages of
are smishing messages are smishing messages which 538 are
and 4807 are ham. and 4808 are ham. smishing messages and
5320 are ham.
Keywords ✓ ✓ ✓ ✓ ✓
Classification
presence of URL ✓ ✓ ✓ ✓ ✓
Presence of Phone no. ✓ ✓ ✓ ✓ ✓
and Email id in the
message
Phone no. and Email X X X X ✓
id in blacklist
URL in Blacklist X X X X ✓
Check for login page X X X X ✓
Difference in URL X X X X ✓
Domain
APK Download ✓ X X X ✓
APK Download after ✓ X X X ✓
re-direction
User consent while X X X X ✓
downloading APK

5. Comparative analysis
We analyzed the existing researches related to Smishing and
compared the related works based on the security measures.
Table 4 represents a comparative analysis of recent researches
with the proposed system for Smishing detection systems.
The existing Smishing detection systems proposed by other
authors and the proposed system commonly check for the pres-
ence of URL when an SMS is received, and they also do the con-
tent analysis of the text message received. But Content Analysis
alone cannot determine the maliciousness of a message until and
unless we further check the maliciousness of the URL involved.
Verification for the presence of self answering link, phone
number and email id is not done in Smishing detection system
proposed by Joo at al [13]. They have analyzed the URL for
download of any APK file but have not checked for the presence
of any login page which prompts the user to fill user credentials.
Ankit et al. [14] have followed a rule-based smishing detection
system considering the contents of the message but they have not
analyzed the behavior of the URL. SmiDCA proposed by Sonowal
et al. [11] has presented a heuristics-based system considering
the contents of an SMS and the keywords present in it. This
system does not check for the maliciousness of the URL, whether
it downloads a malicious file or prompts the user to fill user
credentials in a form provided. As per our study, Smishing is
a threat in which an attacker sends an SMS to the user, and
that SMS includes links to user interfaces, malicious applications,
web pages that prompt user to enter their credentials. Hence, we
cannot classify a message as smishing if the link contained in it
is legitimate even if the message contains malicious keywords.
Hence, we strongly sense the need for checking the behavior of
the URL further to analyze the maliciousness of the link.
814 S. Mishra and D. Soni / Future Generation Computer Systems 108 (2020) 803–815
Smishing Classifier proposed by Goel et al. [10] has done sim-
ilar work but they have not eliminated the false-positive results.
If an APK is downloaded, they have classified it a smishing but an
APK can be the legitimate app of a shopping website like Flipkart.
Similarly, login page and self-answering link can be legitimate
too in case of a message received from Facebook or Amazon
asking the user to log in to their website for availing some offers.
Hence, we need to further check the legitimacy of the website
to avoid false-positive results. If a URL or Self Answering Link
is not present in a message, keywords threshold alone cannot
determine the maliciousness because as per our study, a message
without any link, mobile number or E-mail ID cannot cause any
malicious activity even if it has high threshold keywords present
in it. Verification for the User Consent while downloading APK
file performed in the proposed system is not done by any of the
authors till now. It considerably helps to detect the malicious file
downloading on a mobile device. This check also helps to reduce
false-positive results.
6. Conclusion and future work
Smishing is a critical attack involved with mobile devices
which is rising in this mobile era. Hence, this paper proposed
an efficient model titled Smishing Detector to detect and block
Smishing attacks. The proposed model is using SMS content anal-
ysis and URL inspection method to classify smishing messages
from legitimate messages. SMS Content Analyzer is the module
to analyze the contents of the message. URL Filter, Source Code
Analyzer and APK Download Detector are the modules to inspect
the behavior of URL contained in the message. We have also
developed a prototype of the system using the tkinter package.
This prototype provides user-friendly buttons to skip some of
the steps involved in the system. Machine learning algorithms
are used to classify messages on the basis of smishing keywords.
Naive Bayes classifier shows the best accuracy for the keyword
classification in our proposed system for the particular dataset in-
volved. After integrating all the four modules, the final prototype
experimented shown an accuracy of 96.29%.
A comparison of our model with existing models displayed
that this system comprises more security requirements as com-
pared to other proposed models. This system is expected to
deliver more effective security against attacks in terms of iden-
tifying smishing messages and preventing false-positive results.
The practical implementation of this work can be integrated with
the Android platform and can be used as an application to detect
the smishing messages. This application can be used to identify
smishing message when a message is received and the message
can be discarded or saved based on the result.
In future, we are planning to incorporate more techniques to
the proposed model in order to prevent more intelligent and ver-
satile threat methods. This system is lacking security in ensuring
the genuineness of the application downloaded in APK Download
Detector module. Hence, to ensure application security, we are
also planning to embed Malware detector with APK Download
Detector to identify malicious apps in our future work. This
will focus on more research work to provide security against
personal information leakage and to detect malicious applications
downloaded.
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared
to influence the work reported in this paper.
CRediT authorship contribution statement
Sandhya Mishra: Conceptualization, Methodology, Software,
Data curation, Writing - original draft, Visualization, Investiga-
tion. Devpriya Soni: Conceptualization, Supervision, Validation,
Writing - review & editing.
References
[1] Mobile Internet - Statistics & Facts, Retrieved from https://www.statista.
com/topics/779/mobile-internet/.
[2] Number of mobile phone users in India from 2013 to 2019, Retrieved from
https://www.statista.com/statistics/558610/number-of-mobile-internet-
user-in-india/.
[3] Global mobile statistics, part a: Mobile subscribers; handset market share;
mobile operators, 2014, Retrieved from https://mobiforge.com/research-
analysis/global-mobile-statistics-2014-part-a-mobile-subscribers-
handset-market-share-mobile-operators/.
[4] Daily SMS Mobile Usage Statistics. https://www.smseagle.eu/2017/03/06/
sms-mobilestatistics-2/. (Accessed 7 June 2017).
[5] L. Kessem, Rogue Mobile Apps, Phishing, Malware and Fraud, 2012, Re-
trieved from https://blogs.rsa.com/rogue-mobile-apps-phishing-malware-
and-fraud.
[6] https://cmap.amp.vg/web/b3lknalklab1f.
[7] G. Canova, M. Volkamer, C. Bergmann, R. Borza, B. Reinheimer, S. Stock-
hardt, R. Tenberg, Learn to spot phishing urls with the android nophish
app, in: IFIP World Conf. Information Security Education, Springer, 2015,
pp. 87–100.
[8] L. Cranor, S. Egelman, Y. Zhang, Phinding Phish: Evaluating anti-phishing
tools, in: Proceedings of The 14th Annual Network and Distributed System
Security Symposium, February 28–March 2, 2007, 2017.
[9] Pinterest, Smishing message images, November 20 2018, Retrieved from
https://in.pinterest.com/seceduau/smishing-dataset/?lp=true.
[10] Diksha Goel, Ankit Kumar Jain, Smishing-classifier: A novel framework for
detection of smishing attack in mobile environment, in: NGCT, CCIS 828,
2018, pp. 502–512.
[11] Gunikhan Sonowal, K.S. Kuppusamy, SmiDCA: An anti-smishing model
with machine learning approach, Comput. J. 61 (8) (2018) 1143–1157.
[12] Sophie Gastellier-Prevost, Gustavo Gonzalez Granadillo, Maryline Laurent,
Decisive heuristics to differentiate legitimate from phishing sites, in:
Conference on Network and Information Systems Security, La Rochelle,
2011, pp. 1–9, http://dx.doi.org/10.1109/SAR-SSI.2011.5931389.
[13] J.W. Joo, S.Y. Moon, S. Singh, J.H. Park, S-detector: an enhanced security
model for detecting smishing attack for mobile computing, Telecommun.
Syst. 66 (2017) 1–10.
[14] Ankit kumar Jain, B.B. Gupta, Rule based framework for detection of
smishing messages in mobile environment, Procedia Comput. Sci. 125
(2018) 617–623.
[15] Anna Kang, Jae Dong Lee, Won Min Kang, Leonard Barolli, Jong Hyuk Park,
Security considerations for smart phone smishing attacks, 2014, http:
//dx.doi.org/10.1007/978-3-642-41674-3_66.
[16] Sandhya Mishra, Soni Devpriya, A Content-Based Approach for Detecting
Smishing in Mobile Environment, Suscom, 2019, Available at SSRN: http:
//dx.doi.org/10.2139/ssrn.3356256.
[17] Ankit Jain, B.B. Gupta, Feature based approach for detection of smishing
messages in the mobile environment, J. Inf. Technol. Res. 12 (2019) 17–35,
http://dx.doi.org/10.4018/JITR.2019040102.
[18] K. Yadav, P. Kumaraguru, A. Goyal, A. Gupta, V. Naik, Smsassassin: Crowd-
sourcing driven mobile-based system for SMS spam filtering, in: Proc. 12th
Workshop on Mobile Computing Systems and Applications, New York, NY,
USA HotMobile, ACM, 2011, pp. 1–6.
[19] K. Yadav, S.K. Saha, P. Kumaraguru, R. Kumra, Take control of your SMSes:
Designing an usable spam SMS filtering system, in: IEEE 13th International
Conference on Mobile Data Management, Bengaluru, Karnataka, 2012, pp.
352–355.
[20] C.F.M. Foozy, R. Ahmad, M.F. Abdollah, Phishing detection taxonomy for
mobile device, Int. J. Comput. Sci. 10 (1) (2013) 338–344.
[21] Hossain Shahriar, Tulin Klintic, Victor Clincy, Mobile phishing attacks and
mitigation techniques, J. Inf. Secur. 06 (2015) 206–212, http://dx.doi.org/
10.4236/jis.2015.63021.
[22] Diksha Goel, Ankit Kumar Jain, Mobile phishing attacks and defence
mechanisms: state of art and open research challenges, Comput. Secur.
(2017) http://dx.doi.org/10.1016/j.cose.2017.12.006.
 S. Mishra and D. Soni / Future Generation Computer Systems 108 (2020) 803–815 815

[23] S. Mishra, D. Soni, SMS phishing and mitigation approaches, in: Twelfth
International Conference on Contemporary Computing (IC3), Noida, India,
2019, pp. 1–5, http://dx.doi.org/10.1109/IC3.2019.8844920.
[24] G. Sonowal, K. Kuppusamy, Phidma—a phishing detection model with
multi-filter approach, J. King Saud Univ. Comput. Inf. Sci. 29 (2017) 1–15.
[25] L. Wu, X. Du, J. Wu, MobiFish: A lightweight antiphishing scheme
for mobile phones, in: 23rd International Conference on Computer
Communication and Networks, ICCCN, 2014, pp. 1–8.
[26] J. Zhang, Y. Wang, A real-time automatic detection of phishing URLs,
in: 2nd International Conference on Computer Science and Network
Technology, ICCSNT, IEEE, 2012, pp. 1212–1216.
[27] R.M. Mohammad, F. Thabtah, L. McCluskey, Intelligent rule-based phishing
websites classification, IET Inf. Secur. 8 (2014) 153–160.
[28] Yue Zhang, Jason Hong, Lorrie Cranor, Cantina: a content-based approach
to detecting phishing web sites, 2007, pp. 639–648, http://dx.doi.org/10.
1145/1242572.1242659.
[29] PhishTank – Blacklisted URLs, Retrieved from http://data.phishtank.com/
data/online-valid.csv.
[30] T.A. Almeida, J.M.G. Hidalgo, A. Yamakami, Contributions to the study of
SMS spam filtering: New collection and results, in: 11th ACM Symposium
on Document Engineering, 2011, pp. 259–262.
Sandhya Mishra is currently pursuing her Ph.D. in Mo-
bile Security from Jaypee Institute of Information Tech-
nology, Noida, India. She received Master of Computer
Applications from Guru Gobind Singh Indraprastha
University, Delhi, India. Her research interest includes
Cyber security, Mobile security, Smishing and Phishing
Detection, Web security, Social Media Network and
Machine Learning.
Dr. Devpriya Soni is presently working as Associate
Professor in Jaypee Institute of Information Technol-
ogy, Noida, India. She has received her Ph.D. degree
from Maulana Azad National Institute of Technology
(MANIT), Bhopal. She is the Board Member for confer-
ence proceedings and member of review committee for
journals. She is a Remote Center Coordinator for ISTE
workshops organized by IIT, Bombay and conducted
several workshops as RC coordinator. She is also recog-
nized as the Aakash Project Coordinator for the remote
center of IIT, Bombay and guiding many undergraduate
level projects for Aakash tablet. She is also serving as a Reviewer of several
Ph.D. thesis and was invited as jury member, examiner in Skema University
(Lille, France). She has Guided several projects at undergraduate and post
graduate level. Her research interests include mobile security, Mobile Application
Development, Information Retrieval and Data Mining, Software Engineering, Data
Science.