Phishing platform ‘Lucid’ behind wave of iOS, Android SMS attacks

A phishing-as-a-service (PhaaS) platform named ‘Lucid’ has been targeting 169 entities in 88 countries using well-crafted messages sent on iMessage (iOS) and RCS (Android).

Lucid, which has been operated by Chinese cybercriminals known as the ‘XinXin group’ since mid-2023, is sold to other threat actors via a subscription-based model that gives them access to over 1,000 phishing domains, tailored auto-generated phishing sites, and pro-grade spamming tools. 

Prodaft researchers note that XinXin has also been using the Darcula v3 platform for its operations, which indicates a potential connection between the two PhaaS platforms.

Subscriptions to Lucid are sold via a dedicated Telegram channel (2,000 members), and customers are granted access via licenses on a weekly basis.

Massive phishing operation

The threat group claims to send 100,000 smishing messages daily via Rich Communication Services (RCS) or Apple iMessage, which are end-to-end encrypted, allowing them to evade spam filters.

“The platform employs an automated attack delivery mechanism, deploying customizable phishing websites distributed primarily through SMS-based lures,” explains Prodaft.

“To enhance effectiveness, Lucid leverages Apple iMessage and Android’s RCS technology, bypassing traditional SMS spam filters and significantly increasing delivery and success rates.”

Apart from evasion, the use of these messages also makes the operation cost-effective, as sending SMS on comparable volumes can have significant costs.

Lucid operators use large-scale iOS and Android device farms to send text messages. For iMessage, Lucid uses temporary Apple IDs. For RCS, the threat actors exploit carrier-specific implementation flaws in sender validation.

In a video shared by Prodaft, you can see threat actors conducting phishing campaigns from moving cars, likely to increase operational security and prevent law enforcement and mobile carriers from pinpointing their location.

The mobile phishing messages typically impersonate shipping, tax alerts, or missed toll payments, featuring custom logos/branding, the appropriate language to match the target demographic, and geo-location victim filtering.

Victims clicking on the phishing links are redirected to fake landing pages impersonating state government toll and parking agencies or private entities, such as USPS, DHL, Royal Mail, FedEx, Revolut, Amazon, American Express, HSBC, E-ZPass, SunPass, Transport for London, and more.

The phishing pages are designed to steal personal and financial information, including full names, email addresses, physical addresses, and credit card details.

The platform includes a built-in credit card validator so actors can test the stolen cards. Valid cards are either sold to other cybercriminals or used directly for fraud.

Platforms like Lucid lower the barrier of entry to cybercrime operations and grant a certain level of quality to phishing attempts that increase the chances of success for the attackers.

When this is combined with an extensive and resilient infrastructure, threat actors can leverage it to perform mass-scale and highly organized phishing campaigns.

When receiving a message on your device urging you to follow an embedded link or reply to the message, simply ignore it. Instead, log in to the actual service directly and check for pending alerts or bills.

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.

Read the Red Report 2025