Android ghost SMS-OTPs
Understanding and resolving unexpected OTP messages on Android devices
With Android 4.4 (KitKat) and 5.0/5.1 (Lollipop), users can experience reception of SMS-OTPs at odd times, without having initiated any login. The events are not visible in the Mideye Server or central system logs. These are actually old flash/pop-up SMS that are cached in the phone operating system and re-appear at seemingly random times, often hours or days after the initial reception.
When receiving an OTP as a flash/pop-up SMS, the user is given two alternatives: Cancel or Save. If none of these is selected, and the user instead presses the Home button, the message disappears but remains cached in the operating system. It may then re-appear again later. If the phone is configured to use a messaging app, e.g. Hangouts, the OTP message may also automatically be converted from flash/pop-up to ordinary inbox SMS. It will then be given a timestamp that corresponds to the time of re-appearance, not the initial time of reception. Hence, the timestamp will not match server logs and central system OTP delivery logs.
How to fix this
- Re-start the phone (power-off/power on) to clear the cache
- Preferably, select the default Android messaging app for SMS instead of Hangouts or other messaging app
- When receiving OTPs, make sure to always select Cancel or Save