The most complete and powerful stealth phones are XCell Pro and XStealth.

Due to hardware and software limitations, there is no XCell Stealth Phone that has ALL the special features shown below. Our programmers have squeezed all possible special features out of all the phones we have used. For example, the XCell Pro has no calibration feature, instead the auto calibration is embedded in the OS with no access to the GUI.
Other XCell Stealth Phones have less special features (and smaller prices) because they are tailored to the needs of users in the field.
There is no such thing as "the best XCell Stealth Phone." The best XCell Stealth Phone is the one that fits all security needs. However, XCell Pro and XStealth are the most complete stealth phones as they are equipped with all possible special features.

Call Interception Alert*

Real-time intercepted call detection and warning. The phone user is warned when a call is intercepted. Based on A5/1 stream cypher checking and TA checking algorithm (for SS7 interception). Triggered by any type of interception: IMSI catcher, GSM interceptor, SS7.

*Refers to phone calls made over the mobile network. Does not refer to IM voice chat, Skype, etc.

SMS Interception Alert*

Detection and alerting of SMS in real time. The phone user is warned when SMS are intercepted. Based on A5 / 1 stream cypher checking and TA checking algorithm (for SS7 interception). Triggered for any type of interception: IMSI Catcher, GSM Interceptor, SS7.

False Positive in networks that do not use encryption for SMS by default.

* Refers to regular SMS sent / received via mobile network. Does not refer to IM chat, WhatsApp, etc.

Location Tracking Alert*

Real-time detection and alerting of location tracking pings. On some XCell Stealth phones, received pings are stored in a text document for further analysis. When Location Spoofing is enabled (if available), a spoofed GSM location is sent based on the furthest cell tower the phone can "see".

*Relates to location tracking procedures that use the subscriber's cellular network (by government agencies, law enforcement, etc.). Not effective for IP-based location tracking.

SS7 Interception Alert

The interception of SS7 calls is done with the help of the network operator or, as in the latest systems - e.g. ULIN - bypassing the network operator's servers, directly at the HLR/VLR level.

Real-time interception detection and alerting.

SS7 Location Tracking Alert

SS7 location tracking is done with the help of the network operator or, as with the latest systems - such as ULIN - bypassing the network operator's servers, directly at the HLR/VLR level.

Real-time location tracking detection and alerting.

Location Update (LUR) Alert

LUR is sent from the network to the phone and requests the location of the phone. This is a standard procedure used by all mobile networks. A GSM interceptor with location tracking capabilities sends multiple LUR to the target phone to determine its exact location. XCell Stealth Phones detect abnormal LUR and trigger location tracking alerts, which are stored in a text file for further analysis.

Note: Cellular phones are not designed to function at very high speeds when traveling, such as on commercial airliners. Mobile phone networks are also not designed to support such speeds. Above 400Km/h during low altitude flights, false positive LUR alerts may occur due to the rapid succession of LAC.

Real Location Spoofing

Real Location Spoofing refers to the fake location sent for triangulation techniques (based on the cell tower location). Basically, the phone connects to the furthest cell tower that can be "seen" by the phone. It does not depend on GPS location and does not require an internet connection or third-party servers. GPS spoofing can be easily circumvented by triangulation, which reveals the actual location based on the cell tower's location.

Dynamic IMEI Change

IMEI is the phone ID. The dynamic IMEI function changes the IMEI automatically after each call and SMS without user intervention. New phone ID after each call and SMS. When this feature is enabled, calls and SMS cannot be intercepted and location cannot be tracked. Also, the target correlation methods of modern GSM interceptors that match the IMEI of the phone with the IMSI (SIM card used in this phone) will fail. Combined with the special Dynamic IMSI feature (XCell Basic v3 Advanced, XCell Pro and XStealth), the phone's capabilities become a weapon.

Manual Change IMEI

IMEI is the phone ID. Some basic XCell Stealth phones only have the function to manually change the IMEI, such as the XCell Dual SIM Stealth Phone. Dynamic IMEI stealth phones can also change the IMEI manually: User can add a specific IMEI. New phone ID after each call and SMS, manually. When IMEI change is enabled, call and SMS interception and location tracking will fail. Also, the target correlation methods of modern GSM interceptors that match the IMEI of the phone with the IMSI (SIM card used in this phone) will fail.

Phone Cloning

You can clone any other mobile phone and impersonate it to fool GSM Interceptor. Due to the sensitive nature of this particular feature, more info after purchase.

IMSI Change

IMSI is the SIM ID. Why IMSI change? Well, the answer is "IMSI Catcher", the name given to mobile phone interception systems. Therefore, no explanation is needed. IMSI Change is a special feature requested by law enforcement and intelligence agencies and is now available to the public. The phone user can generate a new IMEI/IMSI for each call, making tracking and interception an impossible mission. The IMEI is the phone ID, the IMSI is the SIM ID. If you change everything, the phone user is 100% protected.

Channel Lock

Each mobile phone is connected to a cell tower via a pair of radio channels - uplink and downlink - called ARFCN or EARFCN. A GSM interceptor forces the phone to disconnect from the real cell tower and connect to the GSM interceptor using a different ARFCN and LAC (Location Area Code) value. By blocking ARFCN channels, XCell Stealth Phones do not connect to a GSM Interceptor or any other real cell tower when on the move, thus avoiding call and SMS interception. Low signal or even signal loss issues may occur.

A5 Tracer

All communications in GSM networks are encrypted by default, using a stream cypher called A/5. To perform call interception, GSM interceptors disable network encryption or (the latest systems) lower the encryption level from A5/1 to the weaker A5/2, which can be decrypted in less than a second.

The phone constantly monitors the standard A5/1 GSM encryption (provided by the GSM network) and triggers alerts when a missing encryption or a change of encryption is detected. In this way, the user is warned about call interception before making a call or answering a call.


To locate the phone, law enforcement agencies send what are called location tracking pings (LTP) to the phone. These are basically malformed text messages (invisible on ordinary mobile phones, regardless of the brand, price or technology used), usually over the GSM network. In response to the received ping, a normal phone sends back its GSM location data (not to be confused with GPS tracking), which consists of the tower's cell ID data, which actually means the GPS position of the tower the phone is connected to.

When the UnPing feature is enabled, the XCell Stealth Phone:

a. Trigger alarms when a location tracking ping is received

b. Block responses to received LTP and in this way hide the location of the phone. Certain special settings are required.

Location tracking alerts are displayed on the phone's home screen and saved to a text file.

TMSI monitoring

TMSI (temporary IMSI) is a value generated by the network to protect the IMSI to be sent by the phone. The TMSI should change every time the LAC is changed or the phone is restarted (depending on the settings of the respective mobile network). Due to low processing power compared to network servers, a GSM interceptor generates a single TMSI as long as the phone is connected to it. TMSI monitoring allows the user to check the current TMSI and any changes. More details after purchase.


XCell Stealth Phones are tracking-proof and give privacy back to the user. Unlike a cell phone that processes encrypted data elements, encoding it and making it unintelligible to an external listener, XCell Stealth Phones protect the call itself, making the phone untraceable and unlocatable.

No Call Log History

No calls are stored in the call list, which is always clean and contains no entries.

Discrete Call Recording

The user can activate automatic call recording. Each individual call is recorded without a warning tone. Call records are a valuable resource when dealing with tampered or hacked records, especially in court.

Hunting Mode


By enabling hunt mode, the phone will alert the user when a call and / or SMS is intercepted (before the call is answered or before the call is initiated) as well as location tracking. No calls or messages will be blocked. Hunt mode allows you to determine if your phone is being monitored.

Anti Interception Mode

By activating the bugging protection mode, no calls and SMS can be sent or received while the phone is monitored and interception is active. Use it with precautions, only when necessary: you don't want your enemies to learn new collection strategies (HUMINT or Bugging) to find out your secrets.

Ki Extraction Alert

Ki is the encryption key stored on each SIM card, which is needed for encryption and decryption of voice calls. A GSM interceptor tricks the phone into sending out Ki (for further voice call decryption) through multiple RAND/SRES sessions. XCell Stealth Phones detects abnormal RAND/SRES sessions and triggers an alarm for Ki extraction.

Secure SMS

A secure SMS is a normal SMS sent via secure gateways to another non-XCell device. A secure SMS can only be intercepted if the recipient phone is intercepted. A secure SMS is different from encrypted SMS.

Encrypted SMS

Some XCell Stealth Phones use government grade SMS encryption. You need at least 2 similar XCell Stealth Phones. No additional fees, no monthly payments, no internet connection required.

Embedded in the operating system, it prevents reverse engineering or hacking due to obfuscated source code. In this way, there is no possibility to manipulate the encryption algorithm, which is hidden for cryptanalysis.

Encrypted IM

Only available for XStealth Lite and XStealth.

Encrypted instant messaging ensures privacy and security by making sure that only the person you send your messages to can read them. Powerful encryption software built into messaging apps means that third parties who intercept these messages can't read them.

There is a wide range of encrypted IM that the user can choose to have installed before delivery. Some encrypted IM are installed by default.


Is our proprietary SMS encryption solution, available for XCell Basic v3 Advanced Stealth Phone and XStealth. Can also be installed on XStealth Lite upon user request. It requires at least 2 XStealth devices to work. Read more here.

Immune to Silent SMS

Many foreign police and intelligence agencies use clandestine "silent" text messages to locate suspects or missing persons. This method involves sending an SMS text message to a suspect's mobile phone. This text message goes unnoticed and sends a signal back to the sender of the message. Silent SMS use an invisible return signal or "ping". The message is rejected by the recipient's cell phone and leaves no trace. In return, the sender receives the geographical location of the mobile phone.

Immune to Spy Call

A spy call is a call made by a GSM interceptor to a mobile phone to listen to the phone environment. This call cannot be detected by the phone user: The phone does not ring or vibrate and the home screen remains off (no sign of an active call). A spy call is not visible in the call list.

XCell Stealth phones block spy calls or allow the user to answer the call depending on the phone model.

Immune to Silent Call

A silent call is a call originated by the GSM interceptor to a specific IMEI / IMSI to establish correlations between IMEI / IMSI and MSISDN (Mobile Subscriber Integrated Services Digital Network number), which is actually the phone number corresponding to the SIM card ). Silent calling allows a GSM interceptor to identify a specific phone number associated with a specific IMEI / IMSI. Silent calls are the result of a process called ping. This is very similar to an IP (Internet Protocol) ping. A silent call cannot be detected by a normal phone. Not to be confused with Spy Call, which means that you need to listen to the phone environment.

A silent call is also used by a GSM interceptor to locate a mobile phone by initiating a silent (blind) call. Normal mobile phones do not ring or vibrate and must transmit on a frequency controlled by the interceptor. Then a DF (Direction Finder) device is used to locate the signal source (target cell phone). Up to 1 m accuracy. GSM Interceptor allows regular incoming and outgoing calls and SMS during this process.

A silent call is also used to capture the current TMSI number.

XCell Stealth Phones are designed to detect, reject and block silent calls.

Security Suite


The Security Suite is installed on certain XCell Stealth phones and contains up to 7 special functions:


  • IMSI change

  • Immediate wiretap control

  • C2 monitoring

  • Sandbox

  • cryptoTRACERⓇ

  • Anti-interception

  • Location spoofing

call encryption

Call encryption is available for XStealth Lite and XStealth only upon user request. Consist of call encryption apps that use third-party data connections and servers. Not recommended. More here.

instant interception check

The user can immediately check if the phone is connected to a GSM interceptor or affected by an SS7 interception by running the Instant interception check app.

After startup, the function starts checking active and passive monitoring, step by step. When monitoring with active/semi-active GSM interceptors, the phone checks:

  • BTS parameters

  • RSSI

  • Cell ID

  • LAC


  • Ki retrieval attempts (cipher key stored on SIM card).

  • Baseband attack attempts.

In case of interception attempts by passive GSM interceptors, the phone is checked:

  • Uplink

  • Downlink

  • It pings the HLR/VLR core network and calculates network redundancy and abnormal ping delays.

  • A network security assessment is created at the end

C1/C2 Monitoring

By forcing the cell tower to be reselected (parameter C2), active and semi-active GSM interceptors force each mobile to disconnect from the home network and connect to the wrong cell tower. This is also called BCCH manipulation and is used by all modern GSM interceptors. When this function is started, the phone.

  • Extract the C1 value, from the serving cell.

  • Calculates the C2 value using a special algorithm used by each GSM network.

  • Search for at least 6 other neighboring cell towers, ranked by RSSI value.

  • Compare C1 with C2.

  • Trigger an alarm if no adjacent cells are found (a clear indication that a GSM interceptor is active in the area).

  • Search for CPICH, RSCP and BCCH.

  • Show forced handover attempts (if any).

  • Display of channel blocking errors (if any).


Besides IMSI Catchers and GSM Interceptors, which are small and mobile (sometimes mounted in vehicles) interception systems, law enforcement agencies use so-called Lawful Interception (SS7 Interception or Interception by operator help), which is a special hardware directly connected to the GSM core network (at the network switch level).

CryptoTracerⓇ is a unique feature based on XCell's proprietary algorithms that can instantly detect lawful interception attempts and alert the user when calls and SMS are intercepted using SS7 means (strategic interception solutions).

Network Scan

Only available on XStealth.

A live network monitoring tool that looks for IMSI catchers/GSM interceptors, SS7-based eavesdroppers and other network anomalies. A real-time eavesdropping detection feature is also available. No false alarms due to intelligent scan mode. Similar to the Instant Interception Check available for the XCell Dynamic IMEI product line.

Real Time Interception Detection

Users can check the security of their mobile stealth phone connection in real time. Detects call / SMS interception in the following ways: IMSI Catcher / GSM Interceptor or SS7 (also known as Network Switch Based Interception).

LAC Change Alert

This is the proximity alert function. The phone will detect any abnormal LAC (Location Area Code) when stationary, changes made only by IMSI catchers/GSM interceptors to force a connection for eavesdropping purposes.

Available at XSteallth.

Microphone Lock

The user can lock the microphone at any time to prevent remote activation so that the environment cannot be monitored via silent call or spy call.

Available on XStealth.

Camera Lock

The user can lock the camera at any time to prevent remote activation for spy images / movies.

Available on XStealth.



Android Ultra Secure Stealth Phones come with a Calibrate app that is required for 2G and 3G networks. Make sure to run Calibrate when the phone is connected to the home network (not roaming, not connected to a GSM interceptor). Preferably: when you are on the move. Only use MNO SIM cards within the country that issued the SIM card. GSM country code and SIM country code should be identical.

When you activate the phone for the first time, you should run the calibration function: The phone calibrates itself, tests the GSM network and stores the home network data, which is part of the self-learning process. It is important that you use a new SIM card (whether contract or prepaid) and that you are in a safe place (connected to a real GSM network).

Other XCell Stealth Phones use an automatic calibration when inserting a new SIM card.

On Screen Functions

For ease of use, the main monitoring and alert functions are also displayed on the home screen. As the main home screen is anonymous and looks like any other smartphone, a simple swipe across the screen will display all monitoring functions on the screen.


IMEI engine, IMSI engine and other software components are moved to a separate partition (sandbox) for faster and smoother operation. System reboot suppressed in case of abnormal network properties (i.e. Generated by IMSI catcher / GSM interceptor).

Continuous Network Scanning

Continuous scanning on the network is a background process that never stops. The phone scans for GSM / SS7 threats. Also works in airplane mode. This causes the battery to drain faster than normal mobile phones. The battery lasts up to 3 days.

Testing Tool: XPing

No other secure phones come with a free (or not) trial tool.

Android Ultra Secure Stealth Phones - XStealth Lite and XStealth - come with a free trial tool: XPing Tool. This is an Android application designed to test the Location Tracking Alert and Location Ping reception.

XPing Tool can be installed on any other Android device (4.2 and above) that can send location tracking pings to any other mobile phone. In order to be used legally, we have removed the location data that is sent back from the destination phone to the sender phone, along with the delivery report. The sender phone will only receive a standard delivery report stating that the location ping was sent and received by the destination phone. The sender phone does not receive any location data back.

Not compatible with other XCell Stealth phones.

Virus Free: Secure by Default

All XCell Stealth phones are immune to viruses, malware or spyware by default. No apps can be installed even by the user: App installation is disabled. No remote code execution is possible even through SIM toolkit attacks. No antivirus app is needed to slow down the phone.

Removed GPS Module

At the customer's request, the GPS module can be deactivated at both software and hardware level.

Removed Camera Module


At the customer's request, the camera module can be deactivated at both software and hardware level.

Removed all Google Software


At customer request, all Google software components are removed. This may lead to system stability issues.

Only available for XStealth Lite and XStealth.

All other XCell Stealth phones do not have a Google software component by default.

self-destruct motherboard

When the phone is connected to an external device other than the paired charger, a self-nuclear mechanism is triggered and the motherboard self-destructs. There are no unlocking procedures. This can only be fixed by replacing the motherboard.

When the self-nuke mechanism is triggered, the phone goes into protected mode (permanent boot loop): bootloaders are cleared and the phone's motherboard discharges 200 VDC on the data lines when the first USB connection is made.
In lab tests, the phone's battery has also been repeatedly set on fire, with ignition caused by the high-voltage discharge. Our company will not be responsible for any damage or loss if chargers other than the supplied one are used, or if an attempt is made to connect the phone to another external device. We do not provide replacement for defects by other means.

Encrypted Bootloader

With a regular bootloader, you can change all the software on your phone. By locking (encrypting) it, we prevent others from doing so. Others means not only forensic examiners, but also the owner of the phone itself. In this way, we want to give hackers/forensic examiners who want to hack into the phone for security reasons as little attack surface as possible. We don't want custom software to be put on that can degrade or even nullify the security of the phone. The phone retains a read-only copy of the encryption key, which blocks any firmware updates that could be transmitted over the air by hackers or even intelligence agencies to gain access to your phone. The phone internally keeps a read-only copy of the manufacturer's public key. This means that the phone gets the best of both worlds: It prevents users from uploading unsigned malicious changes to the phone, while allowing us to fix any software issues once we have the phone in our hands.

Encrypted & Signed Firmware

With a signed firmware, our programmers can verify that the firmware has not been tampered with when a user asks for it. Thanks to the encryption, obfuscation and signature of the firmware, no extraction for further cloning or device depth analysis is possible.

Bluetooth Firewall


Highly secure Bluetooth connection. Remote activation not possible, 100% user control.

No False Positives

False positives mean false alarms that are triggered by normal and harmless events on the phone. For example, some mobile operators do not use the default encryption for SMS as intended. Without false alarm suppression, an SMS interception alert is triggered when an SMS is sent or received without actually being intercepted. The same is true for location tracking pings.



XCell Stealth Phones are protected from forensic investigation by volatile USB filters. No forensic device can extract any data or files from the phone. Once the phone is connected to such a device, a PC or a service box, the volatile USB filters trigger a self-destruct of the motherboard and the phone enters protected mode (permanent boot loop). If the phone is accidentally connected to a PC for charging purposes, the self-nuke mechanism will also be triggered. Only the supplied wall chargers paired with the phone should be used for charging.

Paired Wall Charger

All XCell Stealth Phones that are charged via a micro USB port come with a paired charger. No other chargers or power banks are allowed. The paired charger is used to protect against forensic investigation and data extraction. If anything else is plugged into the USB port, the motherboard will self-destruct.

user control

Phone users have 100% control over their own XCell Stealth phone. No OTA updates, no hidden strings, no servers involved.

security audit

Most XCell Stealth Phones have received independent security reviews from three different companies, all of which have passed successfully.

Highly Customizable

XCell Stealth Phones are highly customizable based on customer requirements: software, graphical interface and company logo. Available as branded, unbranded and custom Stealth Phones. XStealth Lite and XStealth are the most versatile products: Customers can select up to 4 apps to install after we review the source code and apply security patches (if required). We reserve the right not to install certain apps that may compromise user privacy or phone security.

Tamper Resistant Stealth Phone

Effective tamper-resistance mechanisms are installed at both the software and hardware levels. Hardware tamper-resistance is resistance to tampering (intentional malfunction or sabotage) either by the normal users of a product, package, or system or by others who have physical access to it. Software anti-tampering techniques allow a firmware to inspect itself and check whether its code has been modified. We refer to these techniques as self-inspection, which literally read the binary code of the protected software by using special functions called checkers.

Tamper Resistant Battery

A cell phone battery has up to 4 microcells inside. When intelligence agencies intercept the package containing your new cell phone, they replace one of the microcells with a tracking device powered directly by the remaining microcells before delivery. Since the user of the cell phone always charges the battery before it is discharged, it always keeps the tracking device alive.

Tamper Resistant OS

Mobile devices are easy targets for both hackers and abusive state actors. That's why we built the most secure Android - XROM - to protect against a variety of attack vectors without worrying about who has access to your data. XROM is based on the latest stable version of the Android open source project and has the basic privacy and security features from there that are already way ahead of any traditional desktop/mobile Linux distribution.

Unlike other variants of Android, including aftermarket operating systems and the forks that manufacturers create for their devices, XROM does not disable or weaken basic security features such as verified booting and SELinux policy.

Taught the Android runtime not to look for executable code (oat and odex files) in /data/dalvik-cache, and removed the execute and symlink read permissions for the dalvik cache label for system_server and domains used only by the base system, so that it is only allowed by policy for untrusted_app, isolated_app, and the shell domain for adb shell.

XROM cannot be downgraded for abusive exploits. System files are protected from copying or extraction.

Fully verified boot that includes all firmware and operating system partitions. The unverified user data partition is encrypted and deleted by a factory reset. Rollback protection is implemented via the Replay Protected Memory Block.
Kernel attack surface reduction is implemented via seccomp-bpf. Linux kernel defaults are paired with library load order randomization in the linker.

No OTA Updates

Most "secure" phones and apps these days request software updates from time to time, which is basically not a bad thing. The main problem is that fake software updates can be applied by skilled hackers or abusive law enforcement to trick the phone user and install spyware without the user's knowledge and consent. This is because a malicious app or code execution can easily be disguised as a software update and easily installed remotely on the phone. This is actually how law enforcement agencies gain access to phone data remotely.

This is an example:

No App Install / Uninstall

No apps can be installed or existing apps removed on XStealth Lite and XStealth. App installation is blocked on XStealth Lite and XStealth, as well as app uninstallation. We have blocked the app uninstall process to prevent security apps from being removed, which obviously exposes the phone to various exploits, attacks and data extraction.

If users need to install apps, you should let us know. Our programmers will do it for you.

In this way, we prevent the remote installation of spyware through an incorrect app upgrade or by exploiting the Time-of-Check to Time-of-Use vulnerability described below.

Nearly half of all Android systems, 49.5 percent to be exact, contain a vulnerability that could allow an attacker - hacker or abusive actor - to abuse the application installation process to install spyware on affected mobile devices.

There is an Android OS vulnerability called Time-of-Check to Time-of-Use. This vulnerability affects approximately 89.4 percent of the Android population. Potential attackers can exploit this flaw in two ways. They can either use a harmless-looking app with harmless-looking permissions to download a separate malicious app in the future, or they can simply force a user to download an absolutely malicious app that contains a seemingly harmless set of permissions.

APKs are the file format used to install software on the Android operating system. Therefore, the person or thing that manipulates the APK can install arbitrary or malicious code on vulnerable devices out of the user's sight.

From memory, Android uses PackageInstaller to continue the installation. Once the installation begins in earnest, the package to be installed is displayed in a user interface called PackageInstallerActivity. Here, the user can confirm the download and check the requested permissions, which is also called the "time of check". However, in this case, the "time of check" vulnerability makes it possible for the attacker to manipulate the information displayed on the PackageInstallerActivity page. In other words, the attacker can make it appear that the user is downloading one app, when in fact the user is downloading an entirely different app.

App installation is also blocked by anti-forensic filters to protect the phone: No forensic client can be installed on the phone to extract data and/or files. When app installation is forced, the self-nuke mechanism is triggered and the phone goes into protected mode (permanent boot loop): bootloaders are erased and the phone's motherboard takes a discharge of 200 VDC on the data lines during the first USB connection.

During laboratory tests, the phone's battery has also been repeatedly set on fire, with ignition caused by high-voltage discharge. Our company will not be responsible for any damage or loss if any charger other than the supplied one is used or if any attempt is made to connect the phone to any other external device. We will not provide compensation for defects due to our own fault.


For a better understanding of the special functions, please read the glossary.

If you have any further questions, do not hesitate to contact us at contact us.

A5/0, A5/1, A5/2, A5/3 (Kasumi)

The GSM cipher algorithm is called A5. There are four variants of A5 in GSM, of which only the first three are widely used:


  • A5/0: no encryption at all

  • A5/1: strong(er) cipher, intended for use in North America and Europe

  • A5/2: weak encryption, intended for use in other parts of the world, but now rejected by GSMA

  • A5/3: even stronger cipher with open design. Also known as Kasumi. Used by some 3G and 4G mobile networks.

A5 / 1

Used stream encryption to provide protection for wireless communications in the GSM cellular standard. It was initially kept secret, but became public knowledge through leaks and reverse engineering. A number of serious vulnerabilities were found in the cipher. A5 / 1 is used in Europe and the US.

A5 / 2

Is a stream cipher used to provide voice protection in the GSM mobile phone protocol. A5 / 2 was a deliberate weakening of the algorithm for certain export regions. The encryption is based on a combination of four linear feedback shift registers with irregular clocking and a nonlinear combiner.

A5 / 3

A5 / 3 is a Block encryptionwhich is used in UMTS-, GSM- and GPRS mobile communication systems. In UMTS, KASUMI is used in the confidentiality and integrity algorithms named UEA1 and UIA1 respectively. In GSM, KASUMI is used in the A5 / 3 keystream generator and in GPRS in the GEA3 keystream generator. More here.



In GSM mobile radio networks, an absolute high frequency channel number (ARFCN) is a code that specifies a pair of physical radio operators used to transmit and receive in a land mobile radio system, one for the uplink signal and one for the downlink signal. This network parameter is used to force the mobile phones to send registration requests to a wrong BTS (IMEI / IMSI catcher).

LTE EARFCN stands for E-UTRA Absolute Radio Frequency Channel Number. The EARFCN number is in the range from 0 to 65535.


Authentication Key (Ki)

The authentication key or Ki is a 128-bit key used in the authentication and generation of the cipher key. In short, the key is used to authenticate the SIM on the GSM network. Each SIM card contains this key which is assigned to it by the operator during the personalization process. The SIM card is specially designed so that the Ki cannot be compromised via a smart card interface.

Ciphering Key (Kc)

The SIM contains the encryption key generation algorithm (A8) used to generate the 64-bit encryption key (Kc). The encryption key is calculated by applying the same random number (RAND) used in the authentication process to the encryption key generation algorithm (A8) with the single subscriber authentication key (Ki). The encryption key (Kc) is used to encrypt and decrypt the data between the MS and the BS. However, a passive GSM interceptor can remotely extract, compute and use the encryption key to decrypt in real time.


A Broadcast Control Channel (BCCH) is a point to a unidirectional multipoint (downlink) channel used in the um interface of the GSM mobile radio standard. The BCCH transmits a repeating pattern of system information messages describing the identity, configuration and available functions of the base transceiver station (BTS).

BCCH manipulation

Special technique. GSM interceptors (IMEI/IMSI catchers) use BCCH manipulation to create a "virtual power effect" of up to several hundred watts. In this way, a GSM interceptor tricks handsets into always choosing the "BTS" with the strongest signal. Also, by changing the Cell ID (all other network parameters remain the same - MCC, MNC, LAC) and the ARFCN, the interceptor forces the mobile phones in the vicinity to send registration requests and in this way collect the phone identifiers: IMSI, IMEI, Classmark, etc.


Aka Cell Tower. The base transceiver station contains the equipment for transmitting and receiving radio signals (transceivers), antennas and equipment for encrypting and decrypting communication with the base station controller (BSC).


A company providing GSM telecommunications services.


In personal communications systems (cellular mobile telephone systems), a cell is the geographical area served by a single base station. Cells are arranged so that base station frequencies can be reused between cells. The area surrounding a cell site. The area in which calls from a particular cell site are processed.


cell ID

A GSM Cell ID (CID) is a generally unique number used to identify each Base Transceiver Station (BTS) or sector of a BTS within a Location Area Code (LAC) when it is not in a GSM network. In some cases, the last digit of the CID represents the sector ID of the cells. This network parameter is used in the so-called BCCH manipulation by GSM interceptors. By changing the Cell ID (all other network parameters remain the same - MCC, MNC, LAC) and ARFCN, the system forces the mobile phones within the area to send registration requests and thus collect phone identifiers: IMSI, IMEI, Classmark, etc.

cell site

The transmitting and receiving equipment, including the base station antenna, that connects a mobile phone to the network.

Channel Coding

Channel coding is the technique of protecting message signals from signal degradation by adding redundancy to the message signal.


A fade is a slow change in signal strength.

GSM 1800

The GSM 1800 band provides for a GSM uplink in the 1710-1785 MHz range and a GSM downlink in the 1805-1880 MHz range.

GSM 1900

The GSM 1800 band provides for a GSM uplink in the 1850-1910 MHz range and a GSM downlink in the 1930-1990 MHz range.

GSM 900

The GSM 900 band provides for a GSM uplink in the 890-915 MHz range and a GSM downlink in the 935-960 MHz range. GSM 900 is now switched off in the USA, Canada and Australia.


3G (short for Third Generation) is the third generation of wireless mobile telecommunications technology. It is the upgrade for 2.5GGPRS- and 2.75GEDGEnetworks, for faster data transmission.

3G telecommunications networks support services that provide an information transfer rate of at least 144 kbit/s [2][3][4] Later 3G versions, often referred to as 3,5G and 3,75G also offer mobile broadband access of several Mbps for Smartphones and mobile modems in laptops.

Older mobile interception systems could not directly intercept 3G mobile communications because they used high power jammers (frequency jammers) for 3G frequencies and in this way forced the mobile phones to downgrade to 2G frequencies where they can be easily intercepted. Nowadays, 3G and 4G systems can be intercepted without any problems.


Is the fourth generation of Broadband mobile technology, successor to 3G and predecessor of 5G. Potential and current applications include modified mobile web access, IP telephony, gaming services, high definition mobile TV, video conferencing and 3D TV. Older mobile interception systems could not directly intercept 3G and 4G mobile communications because they used high-power jammers (frequency interceptors) for 3G frequencies, forcing mobile phones to downgrade to 2G frequencies where they can be easily intercepted. Nowadays, 3G and 4G systems can be intercepted without any problems.


Is the fifth-generation technology standard for broadband mobile networks that mobile companies will begin deploying globally in 2019, and is the planned successor to the 4G networks that connect most current mobile phones.

GSM Air Interface

The GSM air interface operates in the UHF frequency band.

GSM Architecture

A GSM network consists of the mobile station, the base station system, the switching system and the operation and support system.

GSM base station system (BSS) The GSM base station system (BSS) provides the interface between the GSM mobile phone and other parts of the GSM network.

GSM Channels

GSM offers two types of channels: traffic channels and signalling channels.

GSM handover

Handover is the process of transferring the affiliation of a GSM mobile phone from one base station to another.

GSM Interceptor

See IMEI / IMSI catcher.        

GSM Security

GSM provides a range of security services including authentication, key generation, encryption and limited privacy.


The International Mobile Station Equipment Identity or IMEI is a normally unique number used to identify 3GPP (i.e. GSM, UMTS and LTE) and iDEN mobile phones and some satellite phones. The IMEI number is used by a GSM network to identify valid devices and is used only to identify the device and has no permanent or semi-permanent relationship with the subscriber. It is also used by IMEI / IMSI catchers / GSM taps to identify your phone and intercept calls.


The International Mobile Subscriber Identity is a unique identifier assigned to all mobile networks. It is stored as a 64-bit field and sent from the phone to the network. It is also used to record other details of the mobile in the home location register (HLR) or as copied locally in the visitor location register. To prevent eavesdroppers from identifying and tracking the subscriber on the radio interface, the IMSI is sent as infrequently as possible and a randomly generated TMSI is sent instead.


IMSI Catcher

Is essentially a fake cell tower that acts between the target cell phones and the real towers of the service provider. As such, it is considered a Man In the Middle (MITM) attack. It is used as an eavesdropping device to intercept and track mobile phones and is usually undetectable to mobile phone users. Such a Virtual Base Transceiver Station (VBTS) is a device for identifying the International Mobile Subscriber Identity (IMSI) of a nearby GSM mobile phone and intercepting its calls.

The IMSI Catcher masquerades as a base station and logs the IMSI numbers of all mobile stations in the region as they attempt to connect to the IMSI Catcher. This can force the mobile connected to it not to use call encryption (i.e. it is put into A5 / 0 mode), making it easy to intercept the call data and convert it to audio.


Location Area Code, unique number sent by a "Base Transceiver Station" in GSM. A "location area" is a group of base stations grouped together to optimize signaling. Typically, dozens or even hundreds of base stations share a single Base Station Controller (BSC) in GSM or a Radio Network Controller (RNC) in UMTS, the intelligence behind the base stations. The BSC handles the allocation of radio channels, receives measurements from the mobile phones, controls handovers from base station to base station.



Mobile country codeThis is used when addressing mobile networks.


A mobile network code (MNC) is used in combination with a mobile country code (MCC) (also referred to as "MCC / MNC tuple") to uniquely identify a mobile operator using the GSM/LTE, CDMA, iDEN, TETRA and UMTS public mobile networks, as well as some mobile satellite networks.


Is a number that uniquely identifies a subscription in a GSM or UMTS mobile network. In simple terms, it is the phone number of the SIM card in a mobile phone. This abbreviation has several interpretations, the most common being "Digital Network Number for Integrated Mobile Subscribers". See also Silent Call.

SIM card

Smart card that gives GSM phones their user identity.

silent call

In terms of GSM interception, a silent call is a call made by the GSM interceptor to a specific IMEI/IMSI to establish correlations between IMEI/IMSI and MSISDN (Mobile Subscriber Integrated Services Digital Network-Number, which is actually the phone number to the SIM card in a mobile/cell phone). Silent calling allows a GSM interceptor to find out a specific phone number associated with a specific IMEI/IMSI. Silent calls are the result of a process known as "ping". This is very similar to an Internet Protocol (IP) ping. A silent call cannot be detected by a phone user. Not to be confused with the spy call, which means eavesdropping on the telephone environment.

Silent SMS

Many foreign police and intelligence services use clandestine "silent" SMS to locate suspects or missing persons. This method involves sending a text message to a suspect's mobile phone, which sends a signal back to the sender of the message without being noticed. Silent SMS, also known as flash SMS, uses an invisible return signal called a "ping." Silent SMS allows the user to send a message to another cell phone without the owner of the recipient cell phone knowing. The message is rejected by the recipient cell phone and leaves no trace. In return, the sender receives a message from a mobile operator confirming that the silent SMS has been received. Silent SMS was originally intended to allow operators to determine if a mobile phone was switched on and "test" the network without alerting users. But now intelligence agencies and police have found other uses for the system.

Technical Bit: To manipulate and mute the SMS information, the security services pass through a network to send and receive SMS called SMS gateway such as Jataayu SMS gateway. This allows them to interconnect the processing and GSM systems. This method of bulk sending seems to be widely used by these security services. Silent SMS allows for the accurate location of a mobile phone using the GSM network. Law enforcement can locate a user by identifying the three antennas closest to his or her cell phone and then triangulating the distance according to the speed it takes a signal to travel back. A cell phone updates its presence on the network periodically, but if the person moves, the information is not updated immediately. By sending a silent SMS, the location of the mobile phone is updated instantly. This is very useful because it allows law enforcement to locate a person at a specific time, depending on radio frequencies.

This technique is much more effective than simple cell phone tracking (Cell ID). This is the only immediate and practical way to constantly locate a cell phone when it is not in use. We then refer to it as geopositioning and not geolocation. After that, either the police track the information on the operators, or private companies process the data and refer the investigator, for example, to a map on which the movements of the monitored phone appear in real time.

Spy Call

A spy call is a call made by a GSM interceptor to a mobile phone to listen to the phone environment. This call cannot be detected by the phone user.


Temporary Mobile Subscriber Identity (TMSI) is the identity most commonly sent between the mobile phone and the network. TMSI is assigned by the VLR randomly assigned to each mobile phone in the area as soon as it is turned on. The number is local to a location area and therefore must be updated each time the mobile moves to a new geographic area.

The network can also change the TMSI of the mobile phone at any time. This is usually done to prevent the subscriber from being identified and tracked by eavesdroppers on the radio interface. This makes it difficult to track which cell phone is which, except briefly when the cell phone is currently on or when the data in the cell phone becomes invalid for one reason or another. At that point, the global "International Mobile Subscriber Identity" (IMSI) must be sent to the network. The IMSI is sent as infrequently as possible to avoid being identified and tracked.


How does cell phone user location work, and how accurate is it? There are two methods of determining the location of mobile phone users. Cell phones equipped with the Global Positioning System (GPS) use signals from satellites to determine location very accurately. The second, less accurate method is often called "cell tower triangulation" and refers to how the cell towers that receive a phone's signal can be used to calculate its geophysical location.

Some industry researchers estimate that only about 11% of phones manufactured this year will have the GPS feature, leaving the remaining 89% of phones without GPS to rely on "cell tower triangulation" to expose geolocation data to applications.

What exactly is cell tower triangulation?

In the best case, the signal of a mobile phone can be received by three or more cell towers, so that "triangulation" works. From a geometric mathematical point of view, if we know the distance of an object from three different points, we can calculate the approximate position of that object in relation to the three reference points. This geometric calculation applies in the case of cell phones because we know the locations of the cell towers that receive the phone signal, and we can estimate the distance of the phone from each of these antenna towers based on the delay time between when the tower sends a ping to the phone and receives the response ping back.

In many cases, there may even be more than three cell towers receiving a phone's signal, allowing for even higher accuracy (although the term "triangulation" isn't really accurate when you use more than three reference points). In densely built-up, urban areas, cell phone location accuracy is considered very high because there are typically more cell towers whose signal coverage areas overlap. In cases where a cell phone user is within large structures or underground, cell tower triangulation may be the only method of determining location since GPS signal may not be available.

With many cellular networks, the accuracy of the location can be even higher because directional antennas are used on the tower and thus the direction of the cell phone signal can be identified. With the signal direction plus the distance of the phone from the cell tower, the accuracy can be quite good, even with only two towers.

However, there are many places where fewer cell towers are available, such as on the outskirts of cities and in rural areas. When fewer than three cell towers are available, the location of a mobile device can become much less accurate. In cities, where there are many more vertical structures that can be an obstacle to sending and receiving cell phones, many more cell towers need to be spread out to have good service. In rural areas, there are relatively fewer cell towers and a phone's signal may only be received by one at a much greater distance.

In areas where a phone is only picked up by a single tower, and if it is only equipped with omnidirectional antennas, the accuracy becomes even less. In rural areas, cell tower range can vary from about a quarter mile to several miles, depending on how many obstacles might block the tower's signal.

How extensive is government surveillance?

No civilian can know. Some governments in the EU, such as the UK government, have laws and practices that allow the government to collect and use information in legal cases without disclosing its sources or methods. Chapter 8 of the Crown Prosecution Service's Disclosure Manual includes: "the ability of law enforcement agencies to combat crime through the use of covert human intelligence sources, covert operations, covert surveillance, etc." and "the protection of secret methods of detecting and combating crime."

Whistleblower William Binney, former director of the U.S. NSA (World Geopolitical and Military Analysis Reporting Group), estimates that the U.S. NSA alone has compiled 20 trillion "transactions" - phone calls, emails, and other types of data - just from Americans ( April 2012). Government agencies aren't the only organizations interested in personal data stored on or transmitted through your mobile phone. Self-styled cybercriminals are now jumping on the bandwagon to take advantage of what was previously only available to government and intelligence agencies.

The target phone is located by a GSM interceptor with target location functions.

The mode of operation is based on two vehicles. The first vehicle with the interceptor system, which forces the target phone to continue signal transmission. The second vehicle is used with the interceptor and the tracking components. The direction to the target is displayed as a compass pointer and the relative signal strength is displayed as a bar graph and numerically. The beep increases in frequency as the Interceptor approaches the target, providing a clear warning of a close encounter.


The authentication algorithm used in the GSM system. Currently, the COMP128 algorithm is used in most GSM networks as A3 / A8 implementation.


The encryption algorithm used in the GSM system. There are different implementations called A5 / 1, A5 / 2, ... The A5 / 1 is known as a strong algorithm for data protection over radio. A5 / x (A5 / 2 ...) are weaker implementations that target foreign markets outside Europe. There is also an A5 / 0 algorithm which contains no encryption at all.


The key generation algorithm used in the GSM system. Currently, the COMP128 algorithm is used in most GSM networks as A3 / A8 implementation.


Authentication Center. The AuC register is used for security reasons. It contains the parameters required for authentication and encryption functions (RAND, SRES and Kc). The RAND is a random challenge that is randomly generated. The other two parameters are generated from the subscriber's RAND and Ki using A3 and A8 algorithms. These parameters help to verify the identity of the user (SRES) and provide the session key (Kc).


Base Station Controller. The BSC acts as a common node between multiple BTSs that together form a BSS and the backbone network.


Base Station Subsystem. The BSS connects the mobile station and the NSS. It is responsible for transmitting and receiving. The BSS can be divided into two parts:

  • The Base Transceiver Station (BTS) or Base Station

  • The Base Station Controller (BSC)


A one-way function currently used in most GSM networks for A3 and A8. Unfortunately, the COMP128 algorithm is defective, so it reveals information about its arguments when queried appropriately. This is an undesirable and unacceptable side effect of a one-way function.


General Packet Radio Service. GPRS is used to implement high-speed data transmission between the MS and another subscriber. GPRS uses multiple BTSs in the same BSS. The MS sends different packets to different BTSs, which are reconstructed in the SGSN. This allows the MS to use a higher transmission speed than one transmission channel can handle.


Home Location Register. The HLR is part of the AuC. The HLR provides the MSC with triples indicating a random challenge and an SRES, as well as a Kc based on the Ki of a particular participant and the random challenge. The HLR is also responsible for ensuring that the location of the MS is known at all times.



Internet security, applications, authentication, and cryptography. A small research group in the Computer Science Division at the University of California, Berkeley.



The secret session key used to encrypt over-the-air traffic between the BTS and the MS. The Kc is generated after each authentication initialized by the MSC. The Kc is calculated from the Ki and from the random challenge sent by the MSC using the A8 algorithm. Both the MS and the HLR compute the Kc independently. The Kc is never transmitted over the air.



Ki is the secret key shared between the SIM and the subscriber's home network HLR.



Least Significant Bit.



Linear Shift Feedback Register. A register that generates an output bit based on its previous state and a feedback polynomial.



Mobile Station, the mobile phone.



Mobile Services Switching Center, the central component of the NSS. The MSC performs the switching functions of the network. It also establishes a connection to other networks.



Network and switching subsystem whose main task is to manage the communication between the mobile users and other users such as mobile users, ISDN users, fixed line telephony users, etc.. It also contains databases needed to store information about the subscribers and users to manage their mobility.



The Smartcard Developers Association is a non-profit organization that seeks to provide non-proprietary information about smartcards to developers.



Serving GPRS Support Node. An SGSN delivers packets to MSs in its service area via multiple BTSs. An SGSN also communicates with an HLR to authenticate MSs to enable encrypted communication. In GPRS, the SGSN authenticates the MS instead of the MSC.



Signed RESponse. This is the response that the MS sends back to a request from the MSC during MS authentication, thereby authenticating itself to the MSC (or SGSN in the case of GPRS).



Signaling system 7 is used as the signaling protocol in most intelligent networks. SS7 is defined by ITU-T.


Symmetric Cryptography

In symmetric cryptography, the same key is used for both encryption and decryption.



Visitor Register. The VLR stores triples generated by the HLR when the subscriber is not on its home network. The VLR then makes these triples available to the MSCs when required.