Due to hardware and software limitations, there is no XCell Stealth Phone that has ALL of the special features shown below. Our programmers have squeezed all kinds of special features out of all of the cell phones we use. The best XCell Stealth Phone is the one that fits all security needs.
XTerminator is designed to attack IMSI Catchers and GSM Interceptors OTA (Over The Air) via available uplink channels by LUR flooding, sending continuous connection requests (LUR) via RACCH – Radio Access Control Channel in a short period of time, similar to DoS network attack.
Real-time intercepted call detection and warning. The Stealth Phone user is warned when a call is intercepted. Based on A5/1 stream cypher checking and TA checking algorithm (for SS7 interception). Triggered by any type of interception: IMSI catcher, GSM interceptor, SS7.
*Refers to phone calls made over the mobile network. Does not refer to IM voice chat, Skype, etc.
Detection and alerting of SMS in real time. The Stealth Phone user is warned when SMS are intercepted. Based on A5/1 stream cypher checking and TA checking algorithm (for SS7 interception). Triggered for any type of interception: IMSI Catcher, GSM Interceptor, SS7.
False Positive in networks that do not use encryption for SMS by default.
*Refers to regular SMS sent and received via mobile network. Does not refer to IM chat, WhatsApp, etc.
Real-time detection and alerting of location tracking pings. On some XCell Stealth phones, received pings are stored in a text document for further analysis. When Location Spoofing is enabled (if available), a spoofed GSM location is sent based on the furthest cell tower the Stealth Phone can “see”.
*Relates to location tracking procedures that use the subscriber’s cellular network (by government agencies, law enforcement, etc.). Not effective for IP-based location tracking.
The interception of SS7 calls is done with the help of the network operator or, as in the latest systems – e.g. ULIN – bypassing the network operator’s servers, directly at the HLR/VLR level.
Real-time interception detection and alerting.
SS7 location tracking is done with the help of the network operator or, as with the latest systems – such as ULIN – bypassing the network operator’s servers, directly at the HLR/VLR level.
Real-time location tracking detection and alerting.
LUR is sent from the network to the phone and requests the location of the phone. This is a standard procedure used by all mobile networks. A GSM Interceptor with location tracking capabilities sends multiple LUR to the target phone to determine its exact location. XCell Stealth Phones detect abnormal LUR and trigger location tracking alerts, which are stored in a text file for further analysis.
Note: Cellular phones are not designed to function at very high speeds when traveling, such as on commercial airliners. Mobile phone networks are also not designed to support such speeds. Above 400Km/h during low altitude flights, false positive LUR alerts may occur due to the rapid succession of LAC.
Real Location Spoofing refers to the fake location sent for triangulation techniques (based on the cell tower location). Basically, the Stealth Phone connects to the furthest cell tower that can be “seen” by the Stealth Phone. It does not depend on GPS location and does not require an internet connection or third-party servers. GPS spoofing can be easily circumvented by triangulation, which reveals the actual location based on the cell tower’s location.
IMEI is the phone ID. The dynamic IMEI function changes the IMEI automatically after each call and SMS without user intervention. When this feature is enabled, calls and SMS cannot be intercepted and location cannot be tracked. Also, the target correlation methods of modern GSM Interceptors that match the IMEI of the phone with the IMSI (SIM card used in this phone) will fail. Combined with the special Dynamic IMSI feature, the Stealth Phone capabilities become a weapon.
IMEI is the phone ID. Some basic XCell Stealth phones only have the function to manually change the IMEI, such as the XCell Dual SIM Stealth Phone. Dynamic IMEI stealth phones can also change the IMEI manually: User can add a specific IMEI. When IMEI change is enabled, call and SMS interception and location tracking will fail. Also, the target correlation methods of modern GSM Interceptors that match the IMEI of the phone with the IMSI (SIM card used in this phone) will fail.
You can clone any other mobile phone and impersonate it to fool GSM Interceptor. Due to the sensitive nature of this particular feature, more info after purchase.
IMSI is the SIM ID. Why IMSI change? Well, the answer is “IMSI Catcher”, the name given to mobile phone interception systems. IMSI Change is a special feature requested by law enforcement and intelligence agencies and is now available to the public. The Stealth Phone user can generate a new IMEI and IMSI for each call, making tracking and interception an impossible mission. The IMEI is the phone ID, the IMSI is the SIM ID. If you change everything, the phone user is 100% protected.
Each mobile phone is connected to a cell tower via a pair of radio channels – uplink and downlink – called ARFCN or EARFCN. A GSM Interceptor forces the phone to disconnect from the real cell tower and connect to the GSM interceptor using a different ARFCN and LAC (Location Area Code) value. By blocking ARFCN channels, XCell Stealth Phones do not connect to a GSM Interceptor or any other real cell tower when on the move, thus avoiding call and SMS interception.
Low signal or even signal loss issues may occur.
All communication in GSM networks is encrypted by default, using a stream cypher called A/5. To intercept calls, GSM Interceptors disable network encryption or (the latest systems) lower the encryption level from A5/1 to the weaker A5/2, which can be decrypted in less than a second.
The phone permanently monitors the standard A5/1 GSM encryption (provided by the GSM network) and triggers warning messages if a missing encryption or a change in encryption is detected. In this way, the user is warned about the interception of calls before making a call or answering a call.
To locate the phone, law enforcement agencies send location tracking pings (LTP) to the phone. These are basically malformed SMS (which are invisible on ordinary cell phones, regardless of the brand, price or technology used), usually over the GSM network. In response to the received ping, a normal phone sends back its GSM location data (not to be confused with GPS tracking), which consists of the data of the cell ID of the tower, which actually means the GPS position of the tower with which this Phone is connected.
When the UnPing function is activated, the XCell Stealth Phone will:
1. Trigger alarms when a location tracking ping is received
2. Block responses to received LTPs, thus hiding the phone’s location. Certain special settings are required.
Location tracking alerts are displayed on the Stealth Phones home screen and are saved in a text file.
The user can activate automatic call recording. Every single call is recorded without a warning tone. Call recordings are a valuable resource when dealing with tampered with or hacked recordings, especially in court.
By activating hunting mode, the Stealth Phone warns the user when a call and SMS is intercepted (before the call is answered or before the call is initiated) as well as location tracking. No calls or messages are blocked. In hunting mode, you can check if your phone is being monitored.
Some XCell Stealth Phones use government grade SMS encryption. You need at least 2 similar XCell Stealth Phones. No additional fees, no monthly payments, no internet connection required.
Embedded in the operating system, it prevents reverse engineering or hacking due to obfuscated source code. In this way it is not possible to manipulate the encryption algorithm, which is hidden for the cryptanalysis.
Encrypted instant messaging ensures privacy and security by ensuring that only the person you are sending your messages to can read them. Powerful encryption software built into the messaging apps means that third parties who intercept these messages cannot read them.
There is a wide variety of encrypted IMs that the user can have installed before delivery. Some encrypted IM are installed by default.
⚠ Only available for XStealth Lite and XStealth.
⚠️ This function is our patented, proprietary SMS encryption solution. It requires at least 2 XStealth devices to function.
Many foreign police and intelligence agencies use secret “silent” SMS to locate suspects or missing persons. This method involves sending an SMS text message to a suspect’s cell phone. This SMS goes unnoticed and sends a signal back to the sender of the message. Silent SMS use an invisible return signal or “ping”. The message is rejected by the recipient’s cell phone and leaves no trace. In return, the sender receives the geographic location of the mobile phone.
A spy call is a call made by a GSM Interceptor to a cell phone to eavesdrop on what’s around the phone. This call cannot be recognized by the phone user. The phone does not ring or vibrate and the home screen remains off (no indication of an active call). A spy call is not visible in the call list.
XCell Stealth Phones block spy calls or allow the user to answer the call depending on the phone model.
A silent call is a call originating from the GSM Interceptor to a specific IMEI and IMSI to make correlations between IMEI, IMSI and MSISDN (Mobile Subscriber Integrated Services Digital Network number) which is actually that of the SIM Card corresponding telephone number). Using the silent call, a GSM Interceptor can determine a specific phone number associated with a specific IMEI and IMSI. Silent calls are the result of a process called ping. This is very similar to an Internet Protocol (IP) ping. A normal telephone cannot recognize a silent call. Not to be confused with Spy Call, which means you need to listen to the surroundings of the phone.
A silent call is also used by a GSM Interceptor to locate a cell phone by initiating a silent (blind) call. Ordinary cell phones do not ring or vibrate and must transmit on a frequency controlled by the interceptor. Then a DF device (Direction Finder) is used to locate the signal source (target cell phone). Up to 1m accuracy. GSM Interceptor enables regular incoming and outgoing calls and SMS during this process. A silent call is also used to capture the current TMSI number.
XCell Stealth Phones are designed to detect, reject and block silent calls.
The Security Suite is installed on certain XCell Stealth Phones and contains up to 7 special functions:
Call encryption for XStealth Lite and XStealth is only available upon user request. Consists of call encryption apps that use data connections and third-party servers. Not recommended.
The user can immediately check whether the Stealth Phone is connected to a GSM Interceptor or is affected by SS7 surveillance by running the “Instant Interception Check” app.
After the start, the function begins to check the active and passive monitoring, step by step. When monitoring with active and semi-active GSM Interceptors, the Stealth Phone checks:
The Stealth Phone is checked when attempts are made to intercept passive GSM Interceptors:
It pings the HLR/VLR core network and calculates network redundancy and abnormal ping delays. At the end, a network security assessment is made.
By forcing the cell tower to be selected again (parameter C2), active and semi-active GSM Interceptors force every mobile phone to disconnect from the home network and connect to the fake cell tower. This is also called BCCH manipulation and is used by all modern GSM Interceptors. When this feature starts, the Stealth Phone will:
In addition to IMSI Catchers and GSM Interceptors, which are small and mobile (sometimes vehicle-mounted) eavesdropping systems, law enforcement authorities use so-called lawful interception (SS7 interception or interception by operator help), a special piece of hardware that is directly connected to the GSM core network (at the level of the network switch).
cryptoTRACERⓇ is a unique function based on XCell’s own algorithms, which can immediately recognize legally compliant eavesdropping attempts and alert the user if calls and SMS are intercepted with SS7 means (strategic eavesdropping solutions).
A live network monitoring tool that looks for IMSI Catchers and GSM Interceptors, SS7-based eavesdropping devices, and other network anomalies. A function for detecting eavesdropping in real time is also available. No false positives due to intelligent scan mode. Similar to the Instant Interception Check available for the XCell Dynamic IMEI range of products.
⚠️ Available on XStealth only.
The user can check the security of his mobile Stealth Phone connection in real time. Detects interception of calls and SMS in the following ways: IMSI Catcher, GSM Interceptor or SS7 (also known as Network Switch Based Interception).
This is the proximity alert function. The phone detects any abnormal LAC (Location Area Code) when it is stationary, changes that are only made by IMSI catchers / GSM interceptors in order to force a connection for eavesdropping purposes.
⚠️ Available at Android Ultra Secure Stealth Phone.
The user can lock the microphone at any time to prevent remote activation so that the environment cannot be monitored via Silent Call or Spy Call.
⚠️ Available at Android Ultra Secure Stealth Phone.
The user can lock the camera at any time and thus prevent remote activation for spy images and films.
⚠️ Available at Android Ultra Secure Stealth Phone.
Android Ultra Secure Stealth Phones are supplied with a calibration app, which is required for 2G and 3G networks. Make sure to run Calibrate when the phone is connected to the home network (not roaming, not connected to a GSM interceptor). Best of all: when you are out and about. Only use MNO SIM cards within the country that issued the SIM card. GSM country code and SIM country code should be identical.
When you activate the phone for the first time, you should run the calibration function: the Stealth Phone will calibrate itself, test the GSM network and save the data of the home network, which is part of the self-learning process. It is important that you are using a new SIM card (whether subscribed or prepaid) and that you are in a safe place (connected to a real GSM network).
Other XCell Stealth Phones use automatic calibration when a new SIM card is inserted.
To make operation easier, the most important monitoring and warning functions are also displayed on the start screen. Since the main home screen looks anonymous and like any other smartphone, simply swiping the screen will bring up all of the monitoring functions on the screen.
IMEI engine, IMSI engine and other software components are moved to a separate partition (sandbox) for faster and smoother operation. The system restart has been suppressed in case of abnormal network properties (i.e. generated by IMSI Catcher and GSM interceptor).
Continuous scanning on the network is a background process that never stops. The Stealth Phone searches for GSM and SS7 threats. Also works in airplane mode. As a result, the battery discharges faster than normal cell phones.
No other secure cell phones come with a testing tool.
Android Ultra Secure Stealth Phones – XStealth Lite and XStealth – come with a test tool: XPing Tool. This is an Android application that was developed to test the location tracking alert and the receipt of location ping.
XPing Tool can be installed on any other Android device (4.2 and higher) that can send location tracking pings to any other mobile phone.
⚠️ In order to be legal for use, we have removed the location data sent back from the target phone to the sender phone along with the delivery report. The sender cell phone only receives a standard delivery report stating that the location ping was sent and received by the target cell phone. The sender telephone does not receive any location data back.
Not compatible with other XCell Stealth Phones.
All XCell Stealth Phones are virus, malware or spyware immune by default. Apps cannot be installed even by the user himself. The app installation is deactivated. Remote code execution is not possible even as a result of SIM toolkit attacks.
⚠️ No need for antivirus app.
At the customer’s request, the GPS module can be deactivated on both the software and hardware level.
At the customer’s request, the camera module can be deactivated on both the software and hardware level.
All Google software components will be removed at the customer’s request. This can lead to system stability problems.
⚠️ Only available for XStealth Lite and XStealth.
All other XCell stealth phones do not have a Google software component by default.
If the Stealth Phone is connected to an external device other than the paired charger, a self-nuclear mechanism will be triggered and the motherboard will self-destruct. There are no unlocking procedures. This can only be fixed by replacing the motherboard.
When the self-nuke mechanism is triggered, the Stealth Phone goes into protected mode (permanent boot loop): Bootloaders are deleted and the Stealth Phone’s motherboard discharges itself on the data lines with the first USB connection with 200 VDC.
⚠️ Laboratory tests also repeatedly set the phone’s battery on fire, with ignition being caused by the high-voltage discharge.
⚠️ Stealth Phones are delivered with the function deactivated. Activation only upon customer request before shipment.
⚠️ Our company is not responsible for any damage or loss if any charger other than the one supplied is used or if an attempt is made to connect the Stealth Phone to any other external device.
You can use a regular bootloader to change all of the software on your phone. By locking (encrypting) it, we are preventing others from doing this. Other means not only forensic examiners, but also the owner of the phone itself. In this way, we want to offer as little attack surface as possible to hackers and forensics who want to interfere with the phone for security reasons. We do not want customer-specific software to be installed that can degrade or even destroy the security of the Stealth Phone. The phone keeps a read-only copy of the encryption key that blocks any firmware updates that could be aired by hackers or even intelligence agencies to gain access to your phone. The Stealth Phone keeps a read-only copy of the manufacturer’s public key internally. This means that the phone gets the best of both worlds: it prevents users from uploading unsigned malicious changes to the Stealth Phone, while allowing us to fix any software problems when we have the phone in our hands.
With a signed firmware, our programmers can verify that the firmware has not been tampered with when a user asks for it. Thanks to the encryption, obfuscation and signature of the firmware, no extraction for further cloning or analysis of the device depth is possible.
Highly secure bluetooth connection. Remote activation not possible, 100% user control.
False positives mean false positives triggered by normal and harmless events on the Stealth Phone. For example, some wireless service providers do not use standard encryption for SMS as intended. Without suppression of false positives, an SMS eavesdropping alarm is triggered when an SMS is sent or received without actually being intercepted. The same goes for location tracking pings.
XCell Stealth Phones are protected from forensic investigations by volatile USB filters. No forensic device can extract any data or files from the Stealth Phone. As soon as the Stealth Phone is connected to such a device, a PC or a service box, the volatile USB filters trigger a self-destruction of the motherboard and the Stealth Phone goes into protected mode (permanent boot loop).
All XCell Stealth Phones that are charged via a micro USB port come with a paired charger. Other chargers or power banks are not allowed. The paired charger is used to protect against forensic investigations and data extraction. If anything else is plugged into the USB port, the motherboard will self-destruct.
⚠ Stealth Phones are delivered with the function deactivated. Activation only upon customer request before shipment.
Stealth Phone users have 100% control over their own XCell Stealth Phone. No OTA updates, no hidden strings, no servers involved.
Most XCell Stealth Phones have received independent security reviews from three different companies, all of which have passed successfully.
Effective anti-tampering mechanisms are installed on both the software and hardware level. Hardware tamper protection is the resistance to tampering (deliberate malfunction or sabotage) either by the normal users of a product, package or system or by others who have physical access to it. Software anti-tampering techniques allow firmware to inspect itself and see if its code has been changed. We refer to these techniques as self-checking, which literally read the binary code of the protected software using special functions called checkers.
A cell phone battery has up to 4 micro cells inside. When intelligence agencies intercept the package containing your new cell phone, they replace one of the microcells with a tracking device before delivery, powered directly by the remaining microcells. Since the user of the cell phone always charges the battery before it is discharged, he always keeps the tracking device alive.
⚠ Stealth Phones use tamper-proof batteries
Mobile devices are easy targets for both hackers and abusive state actors. So we designed the most secure Android – XROM – to protect against a wide variety of attack vectors without worrying about who has access to your data. XROM is based on the latest stable version of the Android open source project and has the basic data protection and security functions from there, which are already way ahead of any conventional desktop / mobile Linux distribution.
Unlike other flavors of Android, including aftermarket operating systems and the forks that manufacturers create for their devices, XROM doesn’t disable or weaken basic security features like verified boot and the SELinux policy.
The Android runtime was taught not to look for executable code (oat and odex files) in / data / dalvik-cache, and the execute and symlink read permissions for the dalvik cache label were changed for system_server and domains, which are only used by the base system, removed so that the policy only allows it for untrusted_app, isolated_app and the shell domain for adb shell.
XROM cannot be downgraded for abusive exploits. System files are protected from being copied or extracted.
Fully verified boot process that includes all firmware and operating system partitions. The unverified user data partition is encrypted and is deleted by a factory reset. Rollback protection is implemented via the Replay Protected Memory Block. The kernel attack surface is reduced using seccomp-bpf. Linux kernel defaults are paired with a randomization of the library load order in the linker.
Most “secure” cell phones and apps these days request software updates from time to time, which is basically not a bad thing. The main problem is that fake software updates can be deployed by skilled hackers or abusive law enforcement agencies to trick the phone user and install spyware without the user being aware of and consenting to it. This is because a malicious app or code execution can easily be disguised as a software update and easily installed on the phone remotely. This is actually the way law enforcement agencies get remote access to phone data.
This is an example: https://www.youtube.com/watch?v=h98KtUgUOsg
Apps cannot be installed or existing ones removed on XStealth Lite and XStealth. The app installation is blocked on XStealth Lite and XStealth and the uninstallation of the app is blocked. We blocked the apps uninstall process to prevent security apps from being removed, obviously exposing the phone to various exploits, attacks and data extraction.
In this way, we prevent remote spyware installation by improper app upgrade or by exploiting the “Time-of-Check to Time-of-Use” vulnerability described below.
Almost half of all Android systems, 49.5 percent to be precise, contain a vulnerability that could allow an attacker – hacker or other abusive actor – to abuse the application’s installation process to install spyware on affected mobile devices.
There is an Android OS vulnerability called Time-of-Check to Time-of-Use. This vulnerability affects approximately 89.4 percent of the Android population. Potential attackers can exploit this flaw in two ways. They can either use a harmless looking app with harmless looking permissions to download a separate malicious app in the future, or they can simply force a user to download an absolutely malicious app that contains a seemingly innocuous set of permissions.
APKs are the file format used to install software on the Android operating system. As a result, the person or thing tampering with the APK can install arbitrary or malicious code on vulnerable devices out of sight of the user.
From memory, Android uses PackageInstaller to continue the installation. Once the installation begins in earnest, the package to be installed will appear in a user interface called PackageInstallerActivity. Here the user can confirm the download and check the requested permissions, which is also known as the “time of the check”. In this case, however, the “time of check” vulnerability makes it possible for the attacker to manipulate the information displayed on the PackageInstallerActivity page. In other words, the attacker can make it appear that the user is downloading one app when in fact they are downloading a completely different app. The app installation is also blocked by anti-forensic filters to protect the phone: a forensic client cannot be installed on the phone to extract data and / or files. If the app installation is forced, the self-nuke mechanism is triggered and the phone goes into protected mode (permanent boot loop): bootloaders are deleted and the main board of the phone takes a discharge of 200 VDC when it is first connected to the USB on the data lines.