Insights into the shadowy world of spyware manufacturers

Last year, Facebook announced that WhatsApp users were vulnerable to a sophisticated exploit that could hack into phones with just a few unanswered calls. The new exploit was likely part of Pegasus, a spyware suite developed by Tel Aviv-based NSO Group. According to WhatsApp and Citizen Lab, a research center at the University of Toronto, the company can take over phones and computers for highly paid government clients. While the U.S. Department of Justice recently told Fast Company. explained, that it is aware of the exploit, a representative for the agency would not comment on whether it is actively combating it. While NSO is perhaps the most notorious mobile spyware maker - a recent lawsuit alleges that its Pegasus technology was used to track murdered Saudi dissident Jamal Khashogg - it is just one of many shady companies offering smartphone malware that, while officially targeting criminals and terrorists, can also be used to monitor activists, lawyers and other members of civil society. Dozens of spyware companies offer a range of smartphone surveillance, from video and audio recording to location and text monitoring, including of regimes with dubious human rights records. The technology has been used, for example, by mysterious elements in countries such as Bahrain and Ethiopia, who used the Remote Control System from Milan-based Hacking Team and the FinFisher spy software from Britain's Gamma Group, respectively, to target dissidents at home and abroad. 

NSO has strongly denied any role in the tracking of Khashoggi. The company's CEO, Shalev Hulio, told the Israeli newspaper Yedioth Ahronoth earlier this year that "Khashoggi was not tracked by any NSO product or technology, including wiretapping, surveillance, location tracking and intelligence gathering." In January, an NSO spokesman told Fast Company that the lawsuits were "Nothing more than an empty PR stunt, to continue the propaganda drumbeat against NSO's work helping intelligence agencies fight crime and terrorism around the globe."

Other companies include Israeli firms Ability (a former NSO Group partner), Verint and Elbit Systems, which have customers around the world, as the Toolkit Surveillance Industry Index shows. And in recent months, a new alliance of some public and unnamed companies has launched Intellexa, a consortium hoping to challenge NSO Group and Verint in the burgeoning lawful intercept market. In late May, Senpai, a "consulting and R&D company" specializing in cyberintelligence and AI solutions, joined Intellexa as its fourth official partner (five others are not publicly named) for its expertise in AI-based data analytics.

Particularly troubling for civil society is the legal uncertainty surrounding these spyware tools. While security researchers like Citizen Lab continue to uncover cases of abuse and lawyers for affected individuals fight the battle in court, federal contracts for the sale and use of such mobile spyware tools continue with little to no oversight. The industry is a veritable Wild West of cyberweapons, with no sheriffs to protect anyone with a smartphone.

A market of exploits

Karsten Nohl, cryptographer and managing director at Security Research Labs, says legitimate interception tools have two dimensions: Is the smartphone an iPhone or not, and does the exploit require "help" from the phone's user? For example, some exploits require users - despite warnings - to install a security update that downloads malware to their device. According to Nohl, the easiest exploits are those for Android phones, and the preferred exploits work over the Internet, while others work only on Wi-Fi. According to Nohl, NSO Group can hack most versions of the iPhone and many Android phones, and this is usually done remotely.

"The hardest thing to do would be a remote exploit of an iPhone, and as far as I can tell, NSO Group has a monopoly most of the time," Nohl says. "There's no one who can promise continuous access to the iPhone without the users' help."

However, when it comes to issues of surveillance, governmental or commercial, we very often don't know what we don't know. Nohl says that an iPhone exploit can cost a customer millions of dollars. An Android exploit, on the other hand, costs only hundreds of thousands of dollars. The iPhone ecosystem is clean, with only one software for a range of devices, which breeds highly specialized exploit research and development, hence the high market prices. The Android ecosystem is much more fragmented, requiring less effort to develop exploits for different manufacturers and phones, but more work to maintain the exploits over time.

Apple has declined to comment publicly on the capabilities of NSO or other spyware makers. In 2016, after an investigation by Citizen Lab into Pegasus prompted Apple to issue a Security patch for iPhones release, the company did not specify the reason or the culprit, nor did it contact human rights groups. That same year, Google and cybersecurity firm Lookout said they found traces of NSO spyware on "a few dozen" smartphones in 11 countries, most notably Israel, Mexico, Georgia and Turkey.

There are cheaper options. Instead of attacking phones, Nohl says most spyware vendors offer SS7 spying, which exploits vulnerabilities in the cellular network. SS7, or Signaling System No. 7, is a protocol that allows different phone networks to communicate with each other. If an exploit gives hackers access to SS7, they can intercept smartphone users' information such as voice calls, text messages, location information and other data. "Of course, your iPhone can be as strong as you want security-wise, but if the cellular network is leaking information, that's beyond the control of the phone and Apple". Companies like Circles very actively advertise that they can track a phone's location through SS7."

Nohl assumes that every spyware vendor has access to SS7 networks. However, Nohl says Android exploits are becoming more sophisticated and new competitors are entering the market, putting these tools in the hands of a growing number of customers.

The Israeli connection

Ability, a Tel Aviv-based spyware company, sells something called the Unlimited Interception System (ULIN), which, along with a tactical cellular interception system called IBIS (In-Between Interception System), allows Ability to intercept GSM, UMTS, LTE AND CDMA networks to spy on a target's smartphone. Mexico spent $42 million on ULIN and other tools in 2016, but Ability also has customers in China, Singapore, Myanmar, the Czech Republic, Germany and other countries. The company's website states that customers include security and intelligence agencies, armed forces, law enforcement and homeland security agencies in over 50 countries.

While its fortunes have waned recently - last year it settled a lawsuit with investors over misleading financial disclosures - Ability is still actively developing new exploits, according to Forbes.

Verint, which has offices in Melville, New York, and Herzliya, Israel, was on the verge of buying NSO Group for $1 billion in 2018 before talks fell through. The company is best known for its security cameras and systems that allow businesses to monitor workplaces, but it also sells sophisticated surveillance tools for mass communications, including smartphone tracking software to government and enterprise customers. Verint's SkyLock technology, for example, can track the location of smartphone users by hacking the SS7 protocol, according to a confidential brochure obtained by 60 Minutes in 2016.

Like a number of well-known spyware companies, Verint has sold smartphone sniffing systems to governments with highly questionable human rights records, such as the United Arab Emirates (UAE), South Sudan and Mexico. An anonymous former Verint employee told Haaretz last year that Verint's phone surveillance technology was used to monitor gay and transgender people in Azerbaijan.

Spyware manufacturers unite

To compete with rivals like NSO Group and Verint Systems, a number of surveillance startups recently formed a consortium. Called Intellexa, this alliance aims to become "a one-stop shop for all of our customers' field intelligence acquisition needs" - the need, of course, being the monitoring of smart devices and other electronic devices.

The Intellexa Alliance consists of cyber intelligence firms Nexa Technologies (formerly Amesys), WiSpear and Cytrox. Nexa's "Lawful Intercept" solution from Nexa enables voice and data spying on 2G, 3G and 4G networks. The company, which is headquartered in Paris and has offices in Dubai and the Czech Republic, also offers an Internet eavesdropping product that allows users to conduct IP probes to analyze high data rate networks or use Wi-Fi sensors developed to detect a target several miles away, according to its website.

Nexa did not respond to email requests for comment on its system's capabilities. However, John Scott-Railton, senior research at Citizen Lab, says the company's Wi-Fi sensors are likely a radio direction finding technology combined with standard Wi-Fi eavesdropping attacks.

Intellexa partner WiSpear is a newer entry into the offensive cyberweapons market. WiSpear was founded in Israel in 2017, but is based in Cyprus. The company sells a specially equipped van called a SpearHead, which is equipped with 24 antennas that can force a target's phone or computer to connect to its Wi-Fi-based interceptor at a distance of up to 1,640 feet. After conducting a man-in-the-middle attack, SpearHead can download four different types of malware on iOS and Android.

WiSpear's founder, Tal Dilian, a veteran of the Israel Defense Forces, is also the founder of Circles, a cyberweapons company based in Cyprus and Bulgaria that merged with NSO Group when both companies were owned by Francisco Partners. The other public Intellexa partner, Cytrox, is a European company that develops exploits that can target and penetrate a user's smart devices. The company, which according to its Website currently in stealth mode, was acquired by WiSpear in 2018. Dilian told the publication that in addition to the three companies, there are five other non-public partners in Intellexa.

"Reconnaissance teams in the field need to be prepared to meet any challenge," Dilian said in the Intellexa press release Feb. 16 press release announcing the alliance. "They must be able to reach hard-to-reach areas and successfully intercept any device. For them to succeed, they need a versatile platform - portable, vehicle-mounted or airborne - with a comprehensive range of capabilities, depending on the operational scenario. Intellexa was founded to provide just that. Intellexa could not be reached for comment on its "airborne" spying capabilities, but Scott-Railton says drones and other aircraft equipped with intercept technology would be beneficial to businesses. "[Drones and aircraft] are actually the best way to go because you can get them through line-of-sight," he says. "Ground-based systems have a much shorter range."


"Trojan system for mobile devices"

Another lesser-known spyware company is Rayzone, an Israeli company that offers services such as location tracking and Big Data analysis, as well as a "Trojan system for mobile devices" that sells to governments and federal agencies. Rayzone's website states. Malware mentioned, which allows customers to collect smartphone information such as files, photos, web browsing, emails, location, Skype conversations and other data. The company also boasts that its malware can spy on SMS and other instant messaging services, including WhatsApp.

Many of the spyware companies mentioned above make their money from overseas contracts, often under the auspices of their governments' export controls, but there are several companies with more domestic agendas. The United Arab Emirates, for example, is home to DarkMatter, a cybersecurity firm that houses Project Raven, a team of covert operatives, some of whom have previously worked for U.S. intelligence agencies such as the National Security Agency (NSA). Reuters reported in January that Raven employees in recent years used a cyber espionage platform called Karma that can hack the iPhones of activists and political leaders as well as suspected terrorists.

One of the Reuters sources, Lori Stroud, formerly with NSA contractor Booz Allen Hamilton, learned in a briefing that Raven is the offensive, operational arm of the UAE's NESA (National Electronic Security Authority, now called the Signals Intelligence Agency), the equivalent of the NSA. While Raven used Karma to spy on regional rivals like Qatar and Iran, the malware was also reportedly used to target UAE citizens who were openly critical of the monarchy. In an interesting twist, anonymous sources told said told the Intercept that Dark Matter staff had discussed hacking the publication's staff after reporter Jenna McLaughlin revealed in an Intercept story how Maryland-based computer security firm CyberPoint had helped assemble a team of American spies and hacking tools for Project Raven.

Across the Mediterranean, Italian company eSurv distributes an Android spyware platform nicknamed "Exodus." In March, researchers at the watchdog organization Security Without Borders said they found 25 malicious apps uploaded by eSurv to the Google Play Store between 2016 and early 2019, where they were disguised as mobile carrier apps. "According to publicly available statistics as well as Google's confirmation, most of these apps garnered a few dozen installs each, with one case reaching over 350," Security Without Borders reported.

Security Without Borders' research found that Exodus is equipped with "extensive detection and interception capabilities" and that some modifications triggered by the spyware "could expose infected devices to further compromise or data manipulation." Italian authorities directed launched an investigation into eSurv and a related company, STM, in the weeks leading up to Security Without Borders' report. As part of the investigation, prosecutors said they shut down eSurv's infrastructure.

Growth of a controversial industry

In March reported the New York Times estimated that the market for "lawful intercept spyware" is worth an estimated $12 billion. By contrast, Technavio, a London-based research firm, puts estimates puts the lawful intercept market at $1.3 billion, noting that a key driver for the market is an "increasing number of government initiatives ... to increase the use of lawful interception for regular monitoring and surveillance of criminal, terrorist, and other illegal activity over communications networks." With more spyware tools and government interception initiatives, the potential for abuse will very likely increase, Scott-Railton says.

"That said, while the new entrants are chasing investors, it's pretty clear that many investors are uncomfortable because of the risks these companies are taking," he says.

Novalina Capital, the private equity firm that recently bought NSO Group from Francisco Partners, has been pushing hard for Pegasus' human rights record in recent months. With NSO Group facing several lawsuits from alleged victims in Canada and Mexico, Novalpina has sought to calm investors' nerves with a PR campaign in which they engage with human rights groups and pledge stricter internal oversight. NSO is "already relatively permissive about using its technology for what Europeans would consider human rights abuses," Nohl says.

In the meantime, the legal terrain surrounding so-called lawful intercept tools remains opaque and largely unregulated. As a group of lawyers and law students recently wrote on Just Security, "To date, neither the national legal frameworks governing the sale and use of spyware nor industry self-regulation have been effective in preventing abuses.

David Kaye, the United States Special Rapporteur on Freedom of Expression, recently called for a moratorium on the sale of surveillance software. "Surveillance of certain individuals - often journalists, activists, opposition figures, critics and others exercising their right to freedom of expression - has been shown to lead to arbitrary detention, sometimes torture, and possibly extrajudicial killings." he wrote in a report to the UN Human Rights Council. "States should impose an immediate moratorium on the export, sale, transfer, use or service of privately developed surveillance tools until a human rights-compliant system of protection is in place."

Nohl points out that perfectly legal activity in one country may well be criminal in another, especially in terms of espionage and law enforcement. He says that many countries will feel perfectly justified in using mobile spyware technologies as tools of political oppression because their laws actually grant them that power.

And companies will continue to sell them weapons. While NSO and other Israeli suppliers currently dominate the market, that may not always be the case. "NSO Group is so phenomenally profitable that someone else has to break into that market," Nohl says. "And the next competitor could be a Russian, Chinese or even North Korean vendor that may have even fewer problems with an even larger customer base."




In 2019, we identified more than 20 government spyware apps masquerading as harmless vanilla apps in the Google Play Store. These apps - which were just a decoy through which the government spyware Exodus was installed on targets' phones - were anything but harmless. In a two-step process, they created lists of installed apps, browsing history, contact lists of numerous apps, text messages - including encrypted texts - location data, and app and Wi-Fi passwords. The malware could also activate cameras and microphones to record both audio and video and take screenshots of apps while they were in use. This spyware came from an Italian surveillance company called eSurv, and while it was good at hacking other people's phones, it was bad at securing its own data. The spyware opened a remote command shell on the infected phones, but didn't use any encryption or authentication, so anyone on the same Wi-Fi network as the infected device could get in and hack it.

But it was that sloppy security that led authorities to a startling discovery: As Bloomberg reported earlier this month, eSurv employees allegedly spied on unknowing, innocent Italian citizens using the powerful surveillance technology.

They allegedly did so with flair: according to court documents seen by Bloomberg, eSurv employees secretly played recorded phone conversations aloud in the office. And while the company was selling its spy software to law enforcement agencies, it also allegedly struck a deal with a company - 'Ndrangheta - that has ties to the mafia.

Exposing the snooping apps

The man behind Exodus is Italian developer Diego Fasano. After successfully developing an app that allows doctors to view medical records, a friend advised him to get into the surveillance business, where investigators are desperate for help with the Penetrating encrypted communications of messaging apps like WhatsApp and Signal. In 2014, he founded eSurv, which sells surveillance technology to police and intelligence agencies.

Here's how it worked: with the help of Italian telecoms, the company enticed people to download a seemingly harmless app that would supposedly fix network errors on their phone. Fasano said that the police, in cooperation with the mobile networks, would shut down the target's data service.

Next, they sent instructions to download an app over wifi to restore service. The app was made to look like it was connected to telecom providers, with names like "Operator Italia.

The real purpose: to give law enforcement access to a device's microphone, camera, stored files, and encrypted messages. Fasano sold Exodus to prosecutors across the country, including the country's foreign intelligence agency, L'Agenzia Informazioni e Sicurezza Esterna.

However, a security flaw led to Exodus' downfall. According to authorities, a prosecutor's office in the city of Benevento used Exodus in 2018 to hack into the phones of suspects in an investigation. In October, a technician noticed that the network connection kept dropping out.

After some investigation, the technician discovered that Exodus was not operating from a secure internal server that only the Benevento District Attorney's Office had access to, as it was supposed to. Rather, it was connecting to a server that was accessible to anyone on the Internet and protected only by a username and password.

This meant that data collected covertly from suspects' phones by Italian prosecutors as part of some of the country's most sensitive investigations - of mafia cases, terror cases and corruption cases - could be intercepted by hackers. This included thousands of photos, recordings of conversations, private messages and emails, videos and other files collected from hacked phones and computers - a total of about 80 terabytes of data, or about 40,000 hours of HD video, stored unencrypted. It turned out to be an Amazon Web Services server in Oregon.

Authorities don't know if this server has ever been hacked.

The Attorney General's Office brought criminal charges against eSurv for unlawfully collecting and storing private communications, forwarding them overseas, and failing to store secure "sensitive personal data of a judicial nature."

The Naples prosecutor's office expects the investigation to be completed later this year. Meanwhile, Fasano and another eSurv executive, Salvatore Ansani, were charged with fraud, unauthorized access to a computer system, unauthorized wiretapping and unauthorized data processing. After being under house arrest for three months, they were released and are now awaiting the next phase of their legal proceedings, which will likely lead to a trial.

Further investigation revealed that some of eSurv's 20 employees - dedicated to working on Exodus and calling themselves "The Black Team" under Ansani's leadership - used the spy software to target law-abiding Italian citizens who were never named as suspects in the investigation. Nonetheless, those citizens' phones were tapped and their private conversations recorded, for reasons that authorities say are still unknown.

According to police documents, the Black Team spied on more than 230 people who were not allowed to be monitored by the police. Some of these people were referred to in eSurv's internal files as "The Volunteers" - in other words, they may have been unwitting guinea pigs.

Investigators are still combing through the massive amount of data they seized from eSurv as they try to figure out the purpose of the illegal data collection. Was it for blackmail? For fun? For spying? For illegal surveillance on behalf of the mafia?

At the time, a prosecutor - Eugenio Facciolla, who is at the center of a corruption scandal - was accused of falsifying documents to obstruct or mislead a police investigation into an illegal logging operation led by the 'Ndrangheta that cut down thousands of trees in some Italian national parks.

In November, the agency that handles prosecutor appointments said it was removing Facciolla from his Castrovillari office on the grounds that he had "abused his functions." Facciolla is appealing the decision. Yes, he says, he has supplied Exodus to other companies, but, says his lawyer, Vincenzo Ioppoli, the spyware is "like a weapon." Once you sell it, you don't know how it's going to be used.

Executives from "eSurv" were arrested in Italy in the wake of the Exodus spyware case.

Our answer to Exodus: simple yet powerful solution

Due to the firmware architecture, remote code execution is blocked by default. This way, no other apps (except the pre-installed ones) can be installed on the phone, even by the user. Moreover, we even blocked any app update as we found out that spy apps can be pushed through malicious app update.




FinSpy is a field-proven remote monitoring solution that enables governments to address today's challenges in monitoring mobile and security targets who regularly change location, use encrypted and anonymous communication channels, and reside abroad. FinSpy provides access to information such as contacts, SMS/MMS messages, calendars, GPS location, images, files in memory and recordings of phone calls. All exfiltrated data is transmitted to the attacker via SMS messages or over the Internet. Personal data, including contacts, messages, audios, and videos, can be exfiltrated from most popular messengers.

According to information on the official website, FinFisher offers FinFisher among other tools and services, a "strategic, wide-ranging wiretapping and surveillance solution." This software (also known as FinSpy) is used to collect a variety of private user information on different platforms.

Its implants for desktop devices were first described in 2011 by Wikileaks and mobile implants were discovered in 2012. Since then, XCell Technologies has continuously monitored the evolution of this malware and the emergence of new versions in the wild. According to our telemetry, several dozen individual mobile devices have been infected in the past year, with the most recent activity recorded in Myanmar in June 2019. In late 2018, XCell Technologies experts examined the functionally latest versions of FinSpy implants for iOS and Android, which were created in mid-2018. The mobile implants for iOS and Android have almost the same functionality. They are capable of collecting personal information such as contacts, SMS/MMS messages, emails, calendar, GPS location, photos, files in memory, phone call records, and data from the most popular messengers.

Spyware features

The Android implant is able to gain root privileges on an unrooted device by abusing the DirtyCow exploit included in the spyware. FinSpy Android samples have been around for several years. Based on the certificate data of the latest found version, the sample was made available in June 2019.

It is unlikely that the functionality of the Android implant will change significantly, as most of the configuration parameters are the same in the old and new versions. The variety of available settings makes it possible to customize the implant's behavior for each victim. For example, operators can select preferred communication channels or automatically disable data transmissions while the victim is in roaming mode. All configuration data for an infected Android device (including the location of the control server) is embedded in the implant and subsequently used, but some of the parameters can be changed remotely by the operator. The configuration data is stored in a compressed format, split into a series of files in the "assets" directory of the implant apk. After all data is extracted and the configuration file is created, all configuration values can be retrieved. Each value in the configuration file is stored according to the little-endian value of its size, and the setting type is stored as a hash.

For example, the following interesting settings found in the configuration file of the developer build of the implant can be marked: mobile target ID, proxy IP address, proxy port, phone number for SMS remote control, unique identifier of the installed implant.

As in the case of the iOS implant, the Android version can be installed manually if the attacker has physical access to the device, as well as via remote infection vectors: SMS messages, emails, and WAP push. After successful installation, the implant attempts to gain root privileges by checking for the presence of and executing the known root modules SuperSU and Magisk. If no utilities are present, the implant decrypts and executes the DirtyCow exploit that resides within the malware. If successful in gaining root access, the implant registers a custom SELinux policy to gain full access to the device and retain root access. If it has been using SuperSU, the implant changes the SuperSU settings to silence it, disables its expiration date, and configures it to start automatically at boot time. It also deletes all possible logs, including SuperSU logs. The implant allows access to information such as contacts, SMS/MMS messages, calendar, GPS location, pictures, files in memory and phone call recordings. All exfiltrated data is transmitted to the attacker via SMS messages or over the Internet (the location of the C2 server is stored in the configuration file). Personal data, including contacts, messages, audios, and videos, can be exfiltrated from most popular messengers. Each of the targeted messengers has its own unified handling module, making it easy to add new handlers as needed.

The full hardcoded list of supported messengers is below:


  • com.bbm ..........BBM(BlackBerry Messenger)

  • com.facebook.orca .......... Facebook Messenger

  • ..........InstaMessage

  • ..........Line Messenger

  • org.thoughtcrime.securesms ..........Signal

  • ..........Skype

  • org.telegram.messenger ..........Telegram

  • ..........Threema

  • com.viber.voip ..........Viber

  • com.whatsapp ..........WhatsApp

First, the implant checks whether the targeted messenger is installed on the device (using a hardcoded package name) and whether root access is granted. Then, the messenger's database is prepared for data exfiltration. If necessary, it can be decrypted using the private key stored in its private directory, and all the required information can be easily retrieved:

All media files and information about the user are also exfiltrated.


FinSpy implants are controlled by the FinSpy agent (operator terminal). By default, all implants are connected to FinSpy anonymization proxies (also known as FinSpy relays) provided by the spyware vendor. This is done to hide the actual location of the FinSpy master. Once the infected target system appears online, it sends a heartbeat to the FinSpy Proxy. The FinSpy Proxy forwards connections between target systems and a master server. The FinSpy master server manages all targets and agents and stores the data. Using the decrypted configuration files, our experts were able to determine the various relays used by the victims and their geographical location. Most of the relays we found are concentrated in Europe, some in Southeast Asia and the US.


FinSpy mobile implants are advanced malicious spying tools with multiple functions. Various configuration options provided by the spyware vendor in its product allow FinSpy terminal (FinSpy Agent) operators to tailor the behavior of each implant to a specific victim and conduct effective surveillance, exfiltrating sensitive data such as GPS location, contacts, calls, and other data from various instant messengers and the device itself.

The Android implant has features to gain root privileges on an unrooted device by abusing known vulnerabilities. As for the iOS version, it seems that this spyware solution does not provide infection exploits for its customers, as its product seems to be tuned to remove traces of publicly available jailbreaking tools. This could mean physical access to the victim in cases where the devices are not already jailbroken. At the same time, several features are implemented that we have not yet observed in malware designed for this platform.

Since the leak in 2014, FinSpy developers have rebuilt key parts of their implants, expanding the supported features (for example, the list of supported instant messengers has been significantly expanded) while improving encryption and obfuscation (making it harder to analyze and detect the implants), which has allowed it to maintain its position in the market.

In total, the study discovered current versions of these implants used in the wild in nearly 20 countries, although the total number could be higher.

FinSpy developers are constantly working on updates for their malware. At the time of publication, XCell Technologies researchers have found another version of the threat and are currently investigating this case.

Our solution

FinSpy bypasses 40 regularly tested antivirus apps. Therefore, there is no point in installing an antivirus. XCell Technologies has chosen another effective solution to bypass the installation of malware and malicious software. There is a FinSpy detection algorithm installed deep in the XROM firmware that not only detects any intrusion attempt, but also blocks any code execution. Local HTTP ports used by FinSpy have been blocked: :8999 and :8899.

So XStealth users shouldn't be afraid of government-grade surveillance software. XStealth Pro will be even more secure, giving users access to the FinSpy Annihilator control panel.




Pegasus is spyware that can be installed on devices running certain versions of iOS, Apple's mobile operating system, developed by the Israeli Cyberarms company NSO Group developed. Android OS is less vulnerable than iOS when it comes to Pegasus (also known as Chrysaor for Android).

If you click on a malicious link, Pegasus secretly activates a jailbreak on iOS devices and can read text messages, track calls, collect passwords, track phone location, and collect information from apps, including (but not limited to) iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, and Skype. So Pegasus cannot install itself (like FinSpy Mobile): user interaction required.

Pegasus for Android (Chrysaor) does not rely on zero-day vulnerabilities. Instead, it uses a well-known rooting method called Framaroot. On XROM (our proprietary firmware), we blocked the Framaroot executable and ports. This was easier than blocking FinSpy Mobile. So, don't worry: Pegasus is not a threat to our Android Ultra Secure Stealth Phones, nor to other XCell Stealth Phones. The others running 100% proprietary firmware are also 100% immune: no apk files can be installed on feature phones.

Pegasus User Manual



What is ULIN actually?

We would say that ULIN (Ultimate Interception) is nothing more than a well-executed marketing campaign based on a very old interception method: SS7. Nothing new, nothing out of the ordinary compared to other SS7 interception solutions already on the market, such as the older but powerful SkyTrack. Verint, another Israeli company, also launched SkyJack and SkyLock, their SS7 solution for wiretapping and location tracking, back in 2013. At the time, there was no known SS7 exploit that is now being used by ULIN, so Verint had to install a so-called SS7 box in the core mobile network, connected to the operator's internal servers running HLR-VLR services. And Verint did that with the help of security and homeland security agencies around the globe who were interested in running such systems. And they did it well.

The new thing that ULIN brings is a new SS7 exploit that allows remote exploits without having an SS7 box installed on the mobile network core.

The price is also an extraordinary one, justifying the monetization of the new SS7 exploit: The ULIN system is currently available for $20 million and can identify calls, texts, and location from virtually any mobile phone around the world.

As we mentioned earlier, Ability is not the only company to target SS7 so aggressively. In fact, Ability neither developed the ULIN product itself nor owns the technology, but licenses it from an unnamed third party. The company invests in research and development for the system and is the only one that deploys the tool on its own infrastructure, but it has relied on another company for the core system. That other company is described in the SEC filings only as "a newly formed company with a short operating history and is still unknown in the industry."

And last year it was Sync and corrections by n17t01that Circles Bulgaria and two other Israeli companies, Rayzone and CleverSig, were selling SS7 exploit packages, although there were few details about what exactly they were offering or for how much.

ULIN was introduced back in 2015 as an interception solution that allows government agencies to intercept remote communications almost anywhere in the world. ULIN enables the lawful interception of voice calls, SMS messages and caller-related information from GSM / UMTS / LTE phones without the intercepted phone having to be nearby and without the consent of the mobile network operators, and requires only the phone number or IMSI of the mobile device.

ULIN is a young product that may not yet be widely available. According to May's results document, Ability has only sold one ULIN product at the low end of the price scale so far, but has "received inquiries from a number of existing and potential customers." This first customer, which does not engage in cross-border exploitation but focuses on targets in its own country, is being treated as a beta test.

How can this system accomplish such extraordinary feats?

It actually exploits a flaw in Signaling System No. 7, or SS7, the international telecommunications standard that illustrates how information is exchanged over public switched telephone networks (PSTN) digital networks for mobile phones. SS7's "signaling points" and the nodes that use out-of-band signaling to facilitate services such as call routing.

A yet unknown third party is responsible for licensing this vulnerability to Ability and providing access or information about the SS7 flaw. Thus, intercepting any mobile phone for law enforcement is easily possible by simply tapping the targeted phone.

Like every other SS7 eavesdropping system, the ULIN system is based on vulnerabilities in the SS7 protocol, which was developed back in 1984 and has been updated very sparingly since then; the last update was in 1993! The vulnerability affects everyone as long as they use the cellular network. Even if a user turns off their location services on their phone, hackers can still view the network through network services. Governments around the globe knew about the vulnerability, but because of the benefits it presents to them, they chose not to close it. The world's population is at risk of having their phone calls intercepted with a known vulnerability just because some intelligence agencies might get some data. More about the SS7 attack, here.

The bad news is that there is no single place to turn when it comes to SS7 security, because network operators are responsible for their own security, although some networks are more secure than others, none are indifferent to the attacks.

How does the SS7 error work?

The hacker or law enforcement using an SS7 interception system will forward all calls to an online recording device and then return the call to the intended recipient, a so-called man-in-the-middle attack. In addition, a mobile phone user's movements can be tracked by other hacking tools. The victim's location can be tracked through Google Maps. The SS7 flaw is actually an open secret among the world's intelligence agencies. The crucial vulnerability lies in the mobile network itself.

ULIN User Manual



Since 2016, we have introduced cryptoTRACER® on most of our stealth phones, which triggers Aletrs when your phone calls and messages are intercepted using SS7 means. CryptoTRACER® is effective in ULIN interception detection because the system uses the same SS7 security vulnerability.

In addition, location tracking pings from the ULIN system (portable or strategic) are sent over a cellular network, causing them to show up on XCell Stealth phones as a received location tracking ping that is stored in a text file for further analysis.


For XCell Dynamic IMEI Stealth Phones (v1, v2, v3.1, v4, XCrypt and XCell Pro), there is a special type of warning when the ULIN system collects call-related data (date, time, involved phone numbers (for conference calls) and associated location data at the time of the call): The green lock icon on the top home screen will flicker red/green for approximately 20 seconds after you hang up the call; this is the time it takes ULIN to collect the above data. This advanced feature is used by ULIN to map the entire contact network of the target phone and is usually performed before starting the voice call listening process.


With XCell Basic v3, XStealth Lite and XStealth, the call screen remains on alert for about 20 seconds after the call ends, as if the call was still active. This is not a bug or malfunction of the phone, but a direct result and proof of the ULIN system extracting call-related data from the cellular network rather than from your phone.




Hydra is another SS7 monitoring and eavesdropping solution developed by HSS Development. It exploits the same SS7 protocol vulnerability as SkyTrack, Sky Lock and ULIN.

Since we have cryptoTRACERⓇ installed on most of our XCell Stealth Phones, such an intrusion will trigger an alert every time a phone call and SMS is intercepted, and every time a location tracking ping hits the phone.

Hydra User Manual



SkyLock from Verint

Although the company Ability claims that ULIN is the first global interception and tracking system, Verint, another Israeli company, launched its SS7 interception system back in 2013.

At that time, there was no known SS7 exploit, which is now used by ULIN. Therefore, Verint had to install a so-called SS7 box in the mobile core network, connected to the operator's internal servers running HLR-VLR services. And Verint did that with the help of security and homeland security agencies around the globe that were interested in running such systems. And they did it well.

The problems arise in 2015 when some governments found out that the same SkyLock surveillance system can be used against them, by their enemies - other hostile governments and/or countries. That, because Verint has sold SkyLock to any interested government, with no restrictions. However, Verint will not reveal the location of Israeli subscribers in Israel, nor of US subscribers at home or abroad. The same situation exists today with ULIN and other SS7-based wiretapping systems.

In Verint's current offering, SkyLock no longer exists, but continues to be sold and maintained by another former Verint company called Cognyte sells and maintains it.

Like a number of well-known spy companies, Verint has sold smartphone sniffing systems to governments with highly questionable human rights records, such as the United Arab Emirates (UAE), South Sudan and Mexico. An anonymous former Verint employee told Haaretz last year that Verint's phone surveillance technology was used to monitor gay and transgender people in Azerbaijan.

Since we have cryptoTRACER® installed on most of our XCell Stealth phones, such an intrusion triggers alerts when a phone call and SMS are intercepted and every time a location tracking ping hits the phone.


more GSM Interceptor user manuals

Cobham - Tactical Lawful Intercept

CC6000 from HSS Development

CC4300U - UAV IMSI Catcher

Gemini, from Harris Corporation

RayFish from Harris Corporation - iDEN and GSM Interception