XStealth Stealth Phone


€ 4'900.00

Network technology: 2G/3G

Special Features

On Screen Functions icon

Special Menu

Calibrate icon


IMEI Change icon

IMEI Change

IMSI Change icon

IMSI Change

Hunting Mode icon


Calibrate icon

A5 Alert

Location Tracking Alert icon

Location Tracking Alert

Location Spoofing icon

Location Spoofing

Channel Lock icon

Channel Lock

C1 / C2 Monitoring icon

C2 Monitoring

cryptoTRACER icon


Sandbox icon


Network Scan icon

Network scan

LAC Change detector icon

LAC Change detector

XCrypt MLSP icon

XCrypt MLSP®

Special Menu

This feature will access the control panel, the user dials a secret code and is then prompted for the control panel. A second secret code is required to access the main Special Functions menu.

The Special menu on the XStealth Stealth Phone


This feature calibrates the Stealth Phone, tests the GSM network and stores data about the home network which is part of the self-learning process to detect network anomalies.

The Calibrate feature on the XStealth Stealth Phone

IMEI Change

This feature allows the user to control the way of IMEI change (after any event such as a call or SMS, on network or IMSI Catcher request, etc.) and also to define his own IMEI, thus performing different protection scenarios.

IMEI is the phone ID. When this feature is enabled, calls and SMSs cannot be intercepted, and location cannot be tracked. Also, the target correlation methods of modern GSM-Interceptors that match the IMEI of the phone with the IMSI (SIM card used in that phone) will fail. Combined with the special Dynamic IMSI feature, the Stealth Phones capabilities become a weapon. Changing the IMEI is legal as long as you are not doing it with a stolen phone. For legal reasons, you can always restore the original IMEI. 

IMEI Change feature is designed to protect conversations against control and interception by GSM-Interceptor. To intercept your calls, a GSM-Interceptor will capture and use the following phone identifiers:

1. Your phone number (not transmitted over the air but known to the operator).

2. IMSI – unique SIM registration number.

3. IMEI – unique phone registration number, other than the phone number contained in the SIM.

If you change the IMEI and IMSI then all the phone identifiers are different. Therefore, the system operator does not know who to put under surveillance. If you have only changed the SIM or the IMEI, you will get nothing and your calls will continue to be intercepted as if you had not changed anything.

If you change the IMEI and IMSI at the same time, you can avoid any GSM-Interception. Since all your phone identifiers have changed (which were previously registered in the target selection list of a GSM-Interceptor), the GSM-Interceptor operator has to make additional efforts to receive and register your new identifiers. In addition, the system operator cannot understand that he has lost control of your phone.

XStealth has a fully automated IMEI and IMSI change, making it impossible to be identified.

The IMEI change feature on the XStealth Stealth Phone

IMSI Change

This feature transforms your phone into a sophisticated counter-intelligence weapon by allowing the user to automatically change the IMSI number. SIM cloning starts and generates a new valid IMSI to be used for the next calls or messages. No internet connection, third party servers or special SIMs are required. No monthly fees or commitments. 


The phone will clone any SIM card inserted. Once cloned, the real SIM is quarantined and a virtual SIM is used instead, which can change its IMSI by generating valid IMSIs. IMSI change is done automatic. Please note that the MSISDN (the phone number associated with the SIM card in use) does not change when you use the IMSI change function.

XStealth has a fully automated IMEI and IMSI change, making it impossible to be identified.

The IMSI change feature on the XStealth Stealth Phone


This feature allows the user to switch between Hunting mode (call and SMS interception detection) and Anti Interception mode (no calls and messages can be sent or received while interception is active, regardless of whether GSM-Interceptor or SS7 means are used).

The Mode feature on the XStealth Stealth Phone

A5 Alert

This feature alerts the user in real time when voice and data connections are being intercepted.

All mobile calls and messages are encrypted by default in almost all mobile networks. The GSM standard encryption algorithm is called A5. There are four variants of A5 in GSM, of which only the first three are widely used: A5/0, A5/1, A5/2 and A5/3. The latest interception technologies are capable of intercepting not only calls and messages, but also data (Internet usage). A GSM-Interceptor or IMSI Catcher forces mobile phones into A5/0 mode (no encryption), which makes it easy to intercept call data and convert it into audio. 

XStealth detects this situation and alerts the user in real time.

The A5 Alert feature on the XStealth Stealth Phone

Location Tracking Alert

This feature is a location tracking and Ki extraction alert. When a location tracking ping is received, XStealth will alert you.

Tracking methods used by law enforcement are based on mobile networks. The target phone does not need to be connected to the internet. In most cases, network operator assistance is required, unless SS7 is used to track the location of the phone.

Every time a GSM-Interceptor tries to obtain Ki (the encryption key stored on the SIM card), it sends out so-called “challenges” and waits for the SIM card to respond with parts of the encryption key. The Ki is then calculated later. Ki extraction alerts are also provided by this feature.

The Location Tracking Alert feature on the XStealth Stealth Phone

Location Spoofing

This feature is true GSM location spoofing. The user can choose which cell tower the phone is connected to. In this way, any triangulation technique used for location tracking will produce false results, resulting in a false location.

Most so-called location spoofing applications are internet-based and only spoof GPS data. This creates a false sense of security because the GSM location is revealed every time the target phone is connected to a mobile network. GSM location data (Cell ID, Location Area Code, etc.) is often used by law enforcement agencies to locate mobile phones.

XStealth is immune to this type of location tracking since connecting to more distant towers will cause false locations to be stored with the providers, leading to false results if analysed.

Caution: The mobile data connection is also provided by the network operator (via cell towers, which are easy to find). If the phone is connected to the internet via a mobile hotspot, the phone can be tracked instantly.

Optimal location spoofing is implemented for ease of use. XStealth will always connect to the most distant cell tower, whether it is stationary or in motion.

The Location Spoofing feature on the XStealth Stealth Phone

Channel Lock

This feature allows the user can block the ARFCN (uplink and downlink – the pair of radio channels used by the cell tower to communicate with the phone and vice versa) to prevent a forced handover (the phone is forced to silently disconnect from the home network and connect to a fake cell tower spoofed by a GSM-Interceptor). XStealth remains connected to the real cell tower, preventing it from ‘slipping’ to a fake cell tower (IMSI Catcher) using a different ARFCN to force a handover.

The Channel Lock feature on the XStealth Stealth Phone

C2 Monitoring

This feature monitors the C2 (cell re-selection criterion) parameter used by GSM-Interceptors to force mobile phones to connect. Active and semi-active GSM-Interceptors will force any mobile phone to disconnect from the home network and connect to the rogue BTS that the device is impersonating. This is also known as BCCH manipulation and is used by all modern GSM-Interceptors.

When launching this function, the phone will: 

1. Extract C1 value, from serving cell. 

2. Will compute C2 value by using a special algorithm, the same used by any GSM network.

3. Will look for at least other 6 neighboring cell towers, ordered by RSSI value. 

4. Will compare C1 to C2. 

5. Will trigger alert if no neighboring cells are found (a clear indication that a GSM-Interceptor is active within area). 

6. Will look for CPICH, RSCP and BCCH. 

7. Will display forced handover attempts (if any). 

8. Will display Channel lock fails (if any).

The C2 Monitoring feature on the XStealth Stealth Phone


This feature detects lawful interception by SS7 boxes (known as Network Switch Based Interception or Network Operator Assistance Interception). cryptoTRACER is a unique feature based on XCell’s proprietary algorithms that can instantly detect lawful interception attempts and alert the user when calls and SMS are being intercepted using SS7 (strategic interception solutions).

In addition to IMSI Catchers and GSM-Interceptors, which are small and mobile (sometimes vehicle mounted) interception systems, law enforcement agencies use so-called lawful interception (SS7 interception or operator help interception), a special piece of hardware that is directly connected to the GSM core network (at the level of the network switch).

In order to instantly detect if your XStealth is monitored by SS7 means, you don’t have to make any call or send/receive a message. Just run cryptoTRACER® and wait for results. After checking phone firmware integrity, cryptoTRACER® will start pinging core network at MSC/VLR and AUC/HLR level. Then will calculate network redundancy and compare to standard redundancy. If a ping delay will be detected, SS7 monitoring alert will be triggered by displaying: 

– Network redundancy [!]

– Pingdelay [!]

– Phone status [!]

The cryptoTRACER feature on the XStealth Stealth Phone


This feature creates a separate, secure partition in which the IMEI engine, IMSI engine and other security-related software components run smoothly, without the possibility of interference or tampering. The user can verify the integrity of the sandbox and its components at any time.

The Sandbox feature on the XStealth Stealth Phone

Network scan

This feature is a live network monitoring tool that looks for IMSI Catcher and GSM-Interceptor, SS7 Interception and other network anomalies. Real-time interception detection is also available. No false alarms due to intelligent scanning mode.

The Network Scan feature on the XStealth Stealth Phone scanning cell towers

LAC Change detector

This is the Proximity Alert feature. The phone will detect any abnormal LAC (Location Area Code) when stationary, changes made only by IMSI Catchers and GSM-Interceptors to force a connection.

The LAC Change Detector feature on the XStealth Stealth Phone

XCrypt MLSP®

This feature has been added an absolutely new breed of secure SMS which is not just encrypted but use a new patented technology, which makes SMS also non-interceptable. 

This is a revolutionary innovation called Multi-Layer Security Protocol – MLSP®, developed and patented by XCell Technologies. Taking advantage on GSM network architecture and SMS Transport Protocol, our SMS encryption technology is capable to send/receive encrypted and non-interceptable messages.

Please note that for exchanging encrypted messages you need at least 2 phones. Sender phone will encrypt the message and receiver phone will decrypt the message. 

MLSP® consist in: 

1. Physical layer: encrypted text message.

The phone will encrypt text messages by using following protocols: 

– RSA 

– AES 256 

– Elliptic Curve (ECIES) 256 

– SHA256 

– Protected by ITSEC Evaluation level 3

2. Multi-layer routing and transport protocol. Encrypted SMS data is randomly segmented and distributed in bursts by Application Port Addressing Technology, via discrete GSM channels which usually are not “listened” by mobile interception systems (IMSI Catchers, GSM-Interceptors or StingRays), both in air interface (UM Interface in terms of GSM networks) and Abis, A and C-G mobile network interfaces. This way, SMS data which is usually sent over GSM Layer 1 (and widely intercepted on Layer 1) will be sent by using a combination of GSM Layer 1 and GSM Layer 2 (LAPDm). By consequence, no mobile interception systems (as GSM-Interceptors) and lawful interception systems (SS7 interception also known as network switch based interception or interception by the help of network operator) will be able to intercept the whole message but only a few bursts which are encrypted anyway.

3. Metadata protection. Regular SMS metadata is not saved in a separate file (called a metadata file). XCrypt separate metadata and the data it describes (SMS encrypted text), sending metadata file in bursts over the network, by the same Port Addressing technology. Metadata is of little value without the data file (SMS) it relates too. At the same time, metadata makes the data more usable and therefore, more valuable. An encrypted text message with separate metadata file will reveal nothing about SMS sender and receiver. 

Our SMS encryption application use a groundbreaking multi-layer technology to protect SMS from being intercepted and decrypted. As a unique encryption application, beside strong military grade encryption, XCrypt use a brand new patented technology in order to send/receive encrypted messages: discrete GSM channels or Multi-Layer Security Protocol®. That will protect not just encrypted text messages but also metadata which is not encrypted.

The XCrypt MLSP feature on the XStealth Stealth Phone to send and receive encrypted SMS

Forensic Bullet-Proof

XStealth is protected from forensic investigations by volatile USB filters. No forensic device can extract any data or files from the Stealth Phone. As soon as the Stealth Phone is connected to such a device, a PC or a service box, the volatile USB filters trigger a self-destruction of the motherboard, and the Stealth Phone goes into protected mode (permanent boot loop).
How does it work?

XCell Pro Stealth Phone is able to detect any changes made by a GSM Interceptor on a GSM network to register or attract the phone to the fake network (GSM Interceptor Proximity Alert). The registration of the phone on a new BTS (the fake BTS generated by a GSM Interceptor) is an automated process and this behaviour is absolutely common in any mobile phone. Any mobile phone will automatically select the strongest GSM signal generated by the GSM Interceptor in case of interception. GSM Interceptors (active and semi-active) force the phone to hand over by suppressing the real network signal with a strong signal and by mimicking the network parameters: MCC, MNC and LAC. However, the ARFCN (communication pair channels) and Cell ID are modified to force the phone to send registration requests to the "new" BTS. The XCell Pro Stealth Phone detects these changes and warns you: a discreet open lock icon is displayed on the home screen. The same open discreet lock icon is displayed during an active call in case of call interception (Call Interception Alert). In addition to the home screen alert, the phone alerts you with a sound/vibration alert.

If the network characteristics change, i.e. if a GSM Interceptor, IMSI Catcher or any other method is used to try to trick the SIM into changing to a breakable A5/2 encryption, the phone will detect this and alert the user with an alarm, vibration or display a message on the screen. No calls or SMS's can then be made. The phone will also randomly change the IMEI on each call, or you can specify an IMEI. A good way of confirming that the phone is changing the IMEI and not just giving the appearance of a different IMEI is to assign a known locked or stolen IMEI to the phone.

The phone will also alert you if it receives an abnormal number of requests to re-register with the GSM network (UnPing function), either from the network itself or from a GSM Interceptor attempting to locate the phone or perform a Kc (Communications Ciphering Key) extraction from your SIM card. The phone can be locked to a specific GSM channel number (ARFCN) to avoid BCCH manipulation procedures performed by GSM Interceptors. The XCell Pro Stealth Phone will display the TMSI value on the home screen, which will remain the same if the phone is intercepted. The phone automatically clears the call log after each outgoing or incoming call and all incoming and outgoing call audio is automatically recorded without any background beeps. All recorded files can be played directly from the phone.

Security lock icon
How does it work icon

How does it work?

The XStealth comes with preinstalled generic applications which we have modified certain features (like removing back doors used by law enforcement and some security flaws), adding a plus of security and privacy. This is why we have blocked any OTA software update which can restore security issues. Software updates usually refer to compatibility with new Android versions, which is not our case and will not impact application workflow.

We will install before shipping up to 5 software application desired by the user, but only after running a comprehensive security audit. We will refuse to pre-install applications that can affect user privacy and security, and phone functions. Please let us know your requirements before placing your order.

How does it work?

XStealth firmware is secure by default: no other software applications can be installed by the phone user (which have the phone on its hands) nor remotely, by obscure third parties or abusive law enforcement. Hence, no anti-virus software is needed. Also, XStealth will not perform any OTA firmware / software update, which may lead to remote exploits.

No App Install / Uninstall
The app installation is blocked on XStealth and the uninstallation of the app is blocked. We blocked the apps uninstall process to prevent security apps from being removed, obviously exposing the phone to various exploits, attacks and data extraction. In this way, we prevent remote spyware installation by improper app upgrade or by exploiting the “Time-of-Check to Time-of-Use” vulnerability described below.
Almost half of all Android systems, 49.5 percent to be precise, contain a vulnerability that could allow an attacker – hacker or other abusive actor – to abuse the application’s installation process to install spyware on affected mobile devices.
There is an Android OS vulnerability called Time-of-Check to Time-of-Use. This vulnerability affects approximately 89.4 percent of the Android population. Potential attackers can exploit this flaw in two ways. They can either use a harmless looking app with harmless looking permissions to download a separate malicious app in the future, or they can simply force a user to download an absolutely malicious app that contains a seemingly innocuous set of permissions.
APKs are the file format used to install software on the Android operating system. As a result, the person or thing tampering with the APK can install arbitrary or malicious code on vulnerable devices out of sight of the user.
From memory, Android uses PackageInstaller to continue the installation. Once the installation begins in earnest, the package to be installed will appear in a user interface called PackageInstallerActivity. Here the user can confirm the download and check the requested permissions, which is also known as the “time of the check”. In this case, however, the “time of check” vulnerability makes it possible for the attacker to manipulate the information displayed on the PackageInstallerActivity page. In other words, the attacker can make it appear that the user is downloading one app when in fact they are downloading a completely different app.
The app installation is also blocked by anti-forensic filters to protect the phone: a forensic client cannot be installed on the phone to extract data and / or files. If the app installation is forced, the self-nuke mechanism is triggered and the phone goes into protected mode (permanent boot loop).

No OTA Updates
Most “secure” cell phones and apps these days request software updates from time to time, which is basically not a bad thing. The main problem is that fake software updates can be deployed by skilled hackers or abusive law enforcement agencies to trick the phone user and install spyware without the user being aware of and consenting to it. This is because a malicious app or code execution can easily be disguised as a software update and easily installed on the phone remotely. This is actually the way law enforcement agencies get remote access to phone data.