Those 'stingray' detector apps are basically useless, say researchers

Researchers found at least one major flaw in the five leading stingray surveillance trackers for Android.

(Image: file photo)

There's almost a one-hundred percent chance that during the time you've owned a cell phone, it has at some point connected to a "stingray" phone tracker, a controversial surveillance tool used often by local law enforcement to capture the communications of anyone within its range.

There's also a good chance that the Android app you may have installed that was meant to detect this sneak surveillance attack did nothing to warn you.

Academic researchers at Oxford University and the Technical University of Berlin found that several leading Android apps designed to detect when a phone connects to a fake cell site, known as a "stingray," can be easily bypassed, allowing the stingray owner to eavesdrop on calls, intercept messages, and track the precise location of a phone.

The researchers found that the top five stingray detection apps in the Google Play app store -- SnoopSnitch, Cell Spy Catcher, GSM Spy Finder, Darshak, and AIMSICD -- failed on at least one count to alert the phone owner when their device has connected to a fake cell site.

By setting up their own "white stingray" tool -- a computer hooked up to a software-defined cellular radio -- the researchers could test each app for various known exploits.

On the plus side, all of the apps were able to detect some kind of surveillance, such as when a cell connection was forcibly downgraded, and when a "silent" text message was received to geolocate a phone.

But all of the apps could still be tricked -- simply by switching to another attack method instead.

Two of the attacks could not be detected by any app, the researchers said. "Surprisingly, none of the apps consider whether the [phone] has received a special type of silent call or not." The paper also noted that none of the apps were able to detect an authentication token replay

The paper found that the effectiveness of the apps was largely limited by constraints put in place by the Android operating system. Several of the apps did not have root access, required to access some of the programming interfaces needed for detecting some of the attacks.

Ravishankar Borgaonkar, co-author of the paper, told ZDNet prior to the paper's publication that, "due to the limitation of Android APIs, it's difficult for developers to build an effective detection app."

The paper was released Monday ahead of a presentation at the Usenix Woot conference in Vancouver, Canada.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All