XCell Security

Untraceable cell phones.

Blog icon written by XCell Technologies
Calendar icon

Published on April 01, 2021

Test your "secure" phone. Now.

Before everything, let’s face it: who do you really fear?
There are not so many hackers around that can actually track your cell phone, because of few simple reasons: expensive hardware needed, lack of knowledge regarding GSM stack and SS7 protocol effective exploits, not to mention that hackers have no interests on you, average Joe. Excepting your worried parents and jealous girlfriend, no one wants to know your (cell phone) geo-location. Tracking a cell phone is not a simple “push button” situation when is done by a hacker. That involve deep and extensive knowledge, pretty expensive hardware, time and not least, an considerable interest on you, average Joe. Which obviously is not the case unless you are just another skilled hacker or a high profile person.

The situation became serious when you did something bad or even illegal. Then, you became a target for law enforcement and/or intelligence agencies. And there is no way to hide your (cell phone) location. They have not only the legal ability to track down your cell phone at any time, but have also technological and human resources to do that, not to mention training and expertise.
In case you think that your own cell phone is secure, its time for 2 simple tests.


Just remove the SIM card (if you have one) and call any local emergency number (e.g. 112 or 991) or, if you have a modern cell phone, just press the emergency button. It works, doesn’t it? You can call even without a SIM card. Are you surprised? You should now think about the security of your phone. This is what “safe” phone manufacturers and retailers hide from you:

As soon as you switch on your “secure” cell phone, the telephone radio modem is active. There is no other option. An active radio modem means that your phone can “see” the surrounding cell towers to make possible emergency calls. It also means that all surrounding cell towers (up to 6, from all local carriers!) can “see” your “safe” phone to enable emergency calls. The cell tower that handles your emergency call and to which your “safe” phone connects is the closest one. This is how your emergency call is handled: Your “secure” cell phone sends a registration request to the network, providing its IMEI and (if inserted) SIM-IMSI. There is no other way to make a phone call, even without a SIM. You can make emergency calls even without a network signal. If your phone loses signal from your carrier’s network, it will automatically connect to the strongest network it can find to enable emergency calls.

From this point on, your “secure” cell phone becomes easy prey: phone IMEI and SIM-IMSI (if a SIM card is inserted) are stored at the network level and are available not only to the network operator, but also to law enforcement agencies. In addition to your phone’s identifiers (IMEI and IMSI), your phone’s geo-location is also disclosed and available to the aforementioned agencies.

**Please note:** No call to a local emergency number is required for IMEI/IMSI acquisition. As soon as you turn on your cell phone, its radio modem sends requests to the nearest cell tower. As a result, your phone’s IMEI is revealed and stored on the network’s HLR/VLR servers, where it is available for location tracking procedures or call interception.

According to this, the sky is the limit: Abusive governments (and sometimes skilled hackers) can invade your “safe” cell phone and install a wide range of spyware that bypasses all known anti-virus apps. This is how FinSpy (a government spying tool) gets installed on your “safe” cell phone. Please note that all of this does not require you to make an emergency call, just turn on your phone.

Sure, you can put your “secure” cell phone into airplane mode, which will turn off the phone’s wireless modem. But this will also turn off WIFI and data connections, making your “safe” cell phone worthless.

Now you know that it’s time to seriously change your approach to “secure” cell phones…. Learn more about government-grade spyware.


Whether you like it or not, it is time to find out if your secure phone is vulnerable to government spyware. It doesn’t matter if you have turned your regular cell phone into a “safe” phone by installing various “safe” applications like Silent Circle, Signal or Telegram, or if you have bought a ready-made “safe” phone from a well-known web store. From the point of view of such spyware, (almost) all phones are the same. And this is not necessarily due to the weakness of your phone, but to the weaknesses of the mobile network (including SS7 protocol).

You don’t need an antivirus program to check your phone’s security vulnerabilities. You don’t need a specially developed app to reveal your phone’s security vulnerabilities. You also don’t need a deep understanding of GSM stack, cell phones, cryptanalysis and programming. All you need is to hold your phone in your hands. So let’s get started.

Try to install any (we mean any) compatible application on your “secure” cell phone. Whether it’s from Google Play, App Store or on your SD card or phone memory. It doesn’t really matter. All that matters is the result of the installation: if you managed to install any compatible app on your “secure” phone, it means that your phone failed this simple security test. That’s all you need to know. And of course, you must not forget that your “secure” cell phone is not good for anything. Not to mention that your privacy is just a false feeling and not a real situation. Here’s why:

Government-grade spyware can be installed remotely on virtually any cell phone (Android, iPhone, BlackBerry, Windows Mobile, Symbian, etc.). And usually it is installed remotely because there are not that many field agents who can trick you into picking up your phone unless you are a high-profile target. This can also be done remotely with your “secure” phone itself in your own pocket.

It does not need any interaction from the phone user to complete the installation of the spyware. If they need to, they will trick you big time, just like the Italian government and private companies did with the help of Italian network operators when they installed Exodus on people’s cell phones: they pretended that the user has to install an app that will fix the phone’s network connection, which was actually a spyware installed by the network operator itself. All this after the same accomplice, the network operator, refused to allow the phone to connect to the network, just to make sure that the phone’s user would be happy to install the “solution” they had infiltrated.

If you can install any app on your “secure” cell phone, then abusive state actors can do the same remotely whenever they need to, without your help or knowledge, and without your consent. Which is deeply illegal without a warrant, but that’s just a small thing these days, unfortunately.

Now comes the worst part: not only governments, but also a few skilled hackers can remotely install a spy app on your phone. This can be done by injecting code into an existing app on your phone, which is then pushed as a legitimate app update. Just one example, here:

Remote code injection

Install spyware remotely on a cell phone.


Above, one of the many “secure” phones that pretend to prevent tapping. You can easily see that “emergency call” is available on the bottom home screen.

Not even notoriously encrypted phones are immune to this attack. A few years ago, an average person posted a short movie on YouTube showing how a well-known app used for encrypted corporate communications – GoldLock – was defeated by a cheap commercial spy app called FlexiSpy.

Since he had the phone in his hands that already had GoldLock installed, he also installed FlexySpy on the same phone. He started an encrypted phone conversation with another GoldLock phone. The entire conversation was recorded by FlexySpy in plain text, as FlexiSpy taps the audio directly from the microphone even before GoldLock goes to voice encryption. Then, when the conversation was finished, it was automatically sent by FlexiSpy via WIFI or data connection to a server where it could be listened to by the user’s personal account. Simple, efficient and embarrassing for a top-notch encryption application. You can do the same test whenever you want.

For some reason, the video was removed from YouTube, so we can’t post a link. Since then, free test apps from GoldLock are also no longer available to avoid other similar situations.

And yes, the same thing can happen to your “safe” cell phone.

A special note for feature phones (also known as dumb phones), which we use as hardware for making a wide range of stealth phones: No sophisticated spyware application can be remotely installed on them due to the lack of an operating system. In fact, there is no spyware for dumb phones today for one simple reason: almost no one uses them, a situation that does not fit with mass surveillance. To draw a parallel: It’s like trying to install Windows on a calculator. However, a normal feature phone can be remotely monitored via a SIM toolkit attack or via SS7 eavesdropping systems like SkyLock and ULIN, which does not require an app to be remotely installed on the phone.

Now you know it’s time to make serious changes to your approach to “secure” cell phones.

Are XCell Stealth Phones immune to spyware remote installation? No doubt about it: yes. We have eliminated or quarantined (depending on the phone model) the vulnerability in SIM Toolkit using SIM Toolkit Inhibitor, while blocking all app installation directly at the firmware level.

Let’s keep in touch!

We’d love to keep you updated with our latest news and offers

Further articles

Google Smartphone

DeGoogled Android​

We know you all want to get rid of Google apps on your Android smartphone. But can you really get rid of them? And is it really good for your privacy and security? We don’t think so. Read more

How confidential are your calls

How confidential are your calls?​

This case, discovered by Indian cybersecurity researcher Anand Prakash, was just a bug of bad programming, and is euphemistically called IDOR, short for Insecure Direct Object Reference.