Privacy Tools Guide

Mobile devices communicate with cell towers through the baseband processor—a dedicated chip that handles all cellular radio functions. This component operates independently from the main application processor, making it an attractive target for sophisticated attackers. Rogue cell towers (also known as IMSI catchers or StingRays) can intercept calls, track device locations, and inject malicious signals. This guide covers practical methods for detecting baseband attacks and rogue cell towers using Android apps.

Understanding the Threat ecosystem

The baseband processor runs a real-time operating system (RTOS) with its own firmware, separate from Android. This isolation creates a blind spot: the main operating system has limited visibility into baseband activities. Attackers who compromise the baseband can:

Rogue cell towers exploit this by masquerading as legitimate network equipment. They broadcast stronger signals to attract nearby devices, then perform man-in-the-middle attacks against connected phones.

Android App Tools for Detection

Several Android applications can help identify suspicious cellular activity. These tools monitor network parameters that change when a device connects to a rogue tower.

SnoopSnitch

SnoopSnitch collects and analyzes mobile network data to detect fake base stations and surveillance. The app requires a device with Qualcomm chipset and root access for full functionality.

Key features include:

To use SnoopSnitch effectively, run periodic scans and review the alerts panel for any detected anomalies. Pay attention to events marked as high severity.

CellMapper

CellMapper crowdsources cell tower location data, helping you verify whether connected towers match expected locations. Significant discrepancies between reported and actual tower positions may indicate a rogue cell tower.

The app provides:

Compare the tower ID and location shown in CellMapper against known legitimate towers in your area. Unexpected towers warrant further investigation.

Technical Detection Methods

For developers seeking deeper analysis, several programmatic approaches exist.

Monitoring Cell Information via Android API

The Android TelephonyManager provides access to cell tower data. Here’s a basic implementation for reading cell information:

TelephonyManager tm = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE);
List<CellInfo> cellInfoList = tm.getAllCellInfo();

for (CellInfo cellInfo : cellInfoList) {
    if (cellInfo instanceof CellInfoLte) {
        CellInfoLte cellInfoLte = (CellInfoLte) cellInfo;
        int pci = cellInfoLte.getCellIdentity().getPci();
        int tac = cellInfoLte.getCellIdentity().getTac();
        int signalStrength = cellInfoLte.getCellSignalStrength().getDbm();

        Log.d("CellInfo", "PCI: " + pci + ", TAC: " + tac +
              ", Signal: " + signalStrength + " dBm");
    }
}

Monitor for sudden changes in TAC (Tracking Area Code) or PCI (Physical Cell Identity) which may indicate a handoff to an unauthorized tower.

Detecting Cell ID Changes

Implement a BroadcastReceiver to monitor cell changes:

public class CellChangeReceiver extends BroadcastReceiver {
    @Override
    public void onReceive(Context context, Intent intent) {
        if (TelephonyManager.ACTION_PHONE_STATE_CHANGED.equals(intent.getAction())) {
            String state = intent.getStringExtra(TelephonyManager.EXTRA_STATE);
            if (TelephonyManager.EXTRA_STATE_IDLE.equals(state)) {
                // Phone disconnected from cell
                Log.i("CellMonitor", "Call ended - check for anomalies");
            }
        }
    }
}

Register this receiver in your manifest:

<receiver android:name=".CellChangeReceiver">
    <intent-filter>
        <action android:name="android.intent.action.PHONE_STATE"/>
    </intent-filter>
</receiver>

Analyzing Network Protocol Messages

For advanced analysis, capture network messages using Android’s bugreport feature or specialized tools. Examine these key indicators:

Real-World Threat Scenarios

Understanding actual threat scenarios helps prioritize detection efforts.

Scenario 1: Border Checkpoint Surveillance

At international borders, law enforcement may deploy IMSI catchers to:

Detection approach: Monitor network downgrade, verify cell ID against known carrier maps, avoid making calls at borders if possible.

Scenario 2: Activist/Dissident Targeting

Authoritarian regimes deploy IMSI catchers at:

Detection approach: Run SnoopSnitch continuously in high-risk locations, establish baseline of normal towers, create alert system for anomalies.

Scenario 3: Corporate/Competitive Intelligence

Industrial espionage actors sometimes deploy IMSI catchers near:

Detection approach: Monitor for multiple IMSI catchers simultaneously, check for coordinated signal injection patterns, review email/message timing against detected attacks.

Scenario 4: Criminal Investigation

Law enforcement with warrants may deploy transient IMSI catchers:

Detection approach: Maintain historical baseline, notice new towers appearing/disappearing, flag towers active only during specific times.

Practical Detection Workflow

Implement a systematic detection process:

  1. Baseline establishment: Document your normal cellular environment—legitimate towers, signal strength ranges, typical network operators in your regular locations
  2. Regular scanning: Run detection apps daily (SnoopSnitch), noting any anomalies
  3. Signal analysis: Investigate sudden signal strength changes without corresponding movement (walk toward/away from tower to verify)
  4. Tower verification: Cross-reference connected towers with CellMapper known networks, check if tower IDs appear in carrier databases
  5. Protocol inspection: Review network connection types (2G/3G/4G/5G) for unexpected downgrades, particularly forced 2G which suggests interception
  6. Timing correlation: Document times of suspicious activity, correlate with your location and activities

Advanced Detection: Network Analysis Tools

Power users can deploy more sophisticated detection mechanisms by monitoring network traffic patterns and timing behaviors.

Using tcpdump for Signal Analysis

On rooted Android devices with tcpdump, capture and analyze cellular radio data:

# Capture all traffic to identify anomalous patterns
adb shell tcpdump -i any -w /sdcard/capture.pcap

# Analyze the capture offline with Wireshark
wireshark ./capture.pcap

# Key patterns to investigate:
# - Unexpected DNS requests to unfamiliar servers
# - Traffic to IP addresses not matching known carrier networks
# - Abnormal packet timing suggesting signal injection

Timing Analysis and Radio Measurements

IMSI catchers often exhibit distinctive timing signatures. Monitor these metrics:

// Log timing data between cell transitions
fun monitorCellTransitionTiming(context: Context) {
    val tm = context.getSystemService(Context.TELEPHONY_SERVICE) as TelephonyManager
    val signalStrength = tm.signalStrength

    // Rapid signal strength fluctuations without movement suggest active attack
    if (previousSignal != null) {
        val delta = abs(signalStrength.level - previousSignal.level)
        if (delta > 2) {
            Log.w("Security", "Rapid signal change detected: $delta levels")
        }
    }
    previousSignal = signalStrength
}

Threat Models and Risk Assessment

Different threat actors employ different IMSI catcher capabilities. Understanding the threat model helps calibrate detection sensitivity.

Law Enforcement IMSI Catchers

Government agencies typically use sophisticated equipment like Stingrays (Harris Corporation), which:

These are difficult to detect through behavioral analysis alone, but combined tools can identify activation patterns.

Civilian-Grade IMSI Catchers

Lower-cost alternatives including open-source implementations (Software-Defined Radio kits) typically:

These remain detectable through standard monitoring approaches.

Hybrid Threats

Some sophisticated actors deploy multiple layers:

Detection requires monitoring both network layer (IMSI catcher) and radio layer (baseband activity).

Operational Security During Detection Activities

If you suspect active targeting, operational discipline prevents counter-intelligence:

# Rotate to clean devices for detection analysis
# Never use your primary communications device for investigation

# Document findings in offline media
# Create encrypted, disconnected archives

# Use air-gapped systems for analysis
# Never connect analytical equipment to potentially compromised networks

Use write-once media (DVDs, optical media) for archiving analytical findings if extremely high risk is suspected.

Tool Combination Strategy

No single tool provides complete detection. Effective security combines multiple independent methods:

  1. App-based passive monitoring: SnoopSnitch and CellMapper provide continuous data
  2. Manual signal inspection: Periodic analysis using tcpdump and Wireshark
  3. Timing behavior review: Monitor signal strength changes and network transitions
  4. Protocol anomaly detection: Examine cell broadcast messages and encryption downgrades
  5. Historical baseline comparison: Establish normal patterns then compare against observed behavior

Limitations and Considerations

Detection tools have constraints. IMSI catchers with advanced capabilities can defeat some detection methods by:

No single method guarantees detection. Defense-in-depth—combining multiple tools and remaining aware of unusual device behavior—provides the strongest protection.

For high-risk users, consider hardware solutions like Faraday bags when not actively using the device or dedicated encrypted communication applications that use end-to-end encryption independent of cellular network security. Some security professionals recommend switching to WiFi-only communication when in potentially compromised locations.

When Detection Fails

If you cannot reliably detect IMSI catchers in your environment, consider these alternatives:

Professional-Grade Detection Equipment

For high-value targets, commercial IMSI catcher detection equipment exists:

Commercial Detection Tools

IMSI Catcher Catchers (such as Septier):

HackRF-Based SDR Detection:

Commercial Network Monitoring:

Most individuals cannot justify commercial detection equipment. App-based and protocol analysis remain the practical approach.

Baseband Exploit Indicators

Beyond IMSI catchers, sophisticated attackers may exploit the baseband processor itself:

Signs of Baseband Compromise

  1. Unexpected resets: Baseband crashes manifest as spontaneous reboots
  2. Temperature anomalies: Baseband exploit execution generates heat (check with thermal imaging or temp sensor apps)
  3. Battery drain patterns: Continuous radio operations drain battery even in standby
  4. Data usage anomalies: Unexplained data transmission detected through network monitoring
  5. Baseband error logs: On rooted devices, examine baseband logs:
# Access baseband diagnostics
adb shell cat /dev/kmsg | grep -i "baseband\|modem\|radio"
adb shell dmesg | grep -i "modem"
adb shell dumpsys | grep -i "radio"

Baseband exploits remain difficult to detect without deep radio knowledge. If you suspect compromise at this level, consider replacing the device entirely rather than attempting remediation.

Post-Detection Actions

If you detect IMSI catcher activity, follow these steps:

  1. Document evidence: Screenshot alert messages, record timestamps, preserve tcpdump captures
  2. Stop sensitive communications: Discontinue phone calls, SMS, and data usage immediately
  3. Switch location: Move to a different geographic area and monitor for tower changes
  4. Notify relevant parties: Contact law enforcement (if legal), digital rights organizations, or legal counsel
  5. Device isolation: Consider this device potentially compromised; begin using alternative device
  6. Change security practices: Assume past communications may be compromised; adjust operational security accordingly

The goal of detection is not necessarily to catch attackers, but to modify behavior in response to likely targeting.

Built by theluckystrike — More at zovo.one

Explore Our Developer Guides

© 2026 theluckystrike Developer Guides