/>
X
Innovation

Those 'stingray' detector apps are basically useless, say researchers

Researchers found at least one major flaw in the five leading stingray surveillance trackers for Android.
Written by Zack Whittaker, Contributor on
maxresdefault.jpg

(Image: file photo)

There's almost a one-hundred percent chance that during the time you've owned a cell phone, it has at some point connected to a "stingray" phone tracker, a controversial surveillance tool used often by local law enforcement to capture the communications of anyone within its range.

There's also a good chance that the Android app you may have installed that was meant to detect this sneak surveillance attack did nothing to warn you.

Academic researchers at Oxford University and the Technical University of Berlin found that several leading Android apps designed to detect when a phone connects to a fake cell site, known as a "stingray," can be easily bypassed, allowing the stingray owner to eavesdrop on calls, intercept messages, and track the precise location of a phone.

The researchers found that the top five stingray detection apps in the Google Play app store -- SnoopSnitch, Cell Spy Catcher, GSM Spy Finder, Darshak, and AIMSICD -- failed on at least one count to alert the phone owner when their device has connected to a fake cell site.

By setting up their own "white stingray" tool -- a computer hooked up to a software-defined cellular radio -- the researchers could test each app for various known exploits.

On the plus side, all of the apps were able to detect some kind of surveillance, such as when a cell connection was forcibly downgraded, and when a "silent" text message was received to geolocate a phone.

But all of the apps could still be tricked -- simply by switching to another attack method instead.

Two of the attacks could not be detected by any app, the researchers said. "Surprisingly, none of the apps consider whether the [phone] has received a special type of silent call or not." The paper also noted that none of the apps were able to detect an authentication token replay

The paper found that the effectiveness of the apps was largely limited by constraints put in place by the Android operating system. Several of the apps did not have root access, required to access some of the programming interfaces needed for detecting some of the attacks.

Ravishankar Borgaonkar, co-author of the paper, told ZDNet prior to the paper's publication that, "due to the limitation of Android APIs, it's difficult for developers to build an effective detection app."

The paper was released Monday ahead of a presentation at the Usenix Woot conference in Vancouver, Canada.

Editorial standards

Related

The 16 best Cyber Monday deals under $30 still available
Amazon Fire TV Stick 4K

The 16 best Cyber Monday deals under $30 still available

Epson is going to stop selling laser printers. Here's why
piles-of-paper.jpg

Epson is going to stop selling laser printers. Here's why

Don't waste your money on these Apple products: December 2022 edition
Waiting in line for the Apple Store

Don't waste your money on these Apple products: December 2022 edition