This article is just an update on previous one.
Following first blog article revealing his scam, Deniz Ok changed his eBay account name from sec_tel_world to secure_gsm.
Also, the scammer removed from eBay the other scam: "Secure 4G WIFI router".

Trying to erase scam traces, Deniz Ok has changed a company fake postal address with another one, as fake as first one: ABC LIMITED (Deniz Ok) 22 Eastcheap, London EC3M 1EU, United Kingdom. What he is actually trying to say is that his "company" is located in the heart of London, next door to London Tower, a very expensive London area, paying a rent for an expensive office, selling on eBay some stealth phones manufactured by other company. No company website, no real address and no registration. How much credibility can have this hilarious cover?

Also, there is no ABC Limited company registered in the UK: check here.

Late edit 1 (2nd April): we have sent one of our friends from London, to visit ABC Limited "company", on that specific address. Updates in few days.
Late edit 2 (9th April). Have a wild guess: on that address is no ABC Limited company. Our London friend has asked about Deniz Ok, as well. The same result: there is no Deniz Ok on that location. Busted. Again.

All info below are coming from XCell Technologies management team, and also from public sources.

We have discovered a new kind of scam/fraud and the person behind that: Deniz Ok. Apparently is located in Düsseldorf (Germany) and London (UK), if we consider data he offer on eBay account. We doubt that is his real name, but he use this name to run all kind of scams and fraud, associated with 2 company names: ABC Limited (UK) and ABC Großhandel (Germany).

Late edit: Deniz Ok changed his eBay account name from sec_tel_world to secure_gsm, hoping to erase traces and continue this scam. It didn't work.

Fraudster Deniz Ok managed to get a large quantity of XStealth Phones without paying a dime. Of course, by fraud. Yes, XStealth Phones he sell on eBay are genuine. But... Yes, there is a "but": being a custom made order, his lot of XStealth Phones does have some particularities:
1. All XStealth Phones were delivered without batteries (which are single cell custom made batteries that avoid pro bug insertion). Instead of genuine batteries, fraudster use regular batteries which not only last less than original batteries but are also vulnerable to location tracking and environmental listening when a battery cell is replaced with this sort of professional bug.
2. Based on Deniz Ok requirements, certain software components were removed, and also added other software applications which made those particular XStealth Phones vulnerable to location tracking and remote intrusion.
3. On top of that, due to the nature of products, the fraud was reported first in Germany to Federal Criminal Police Office (Bundeskriminalamt / BKA) and Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz / BfV) and then in the UK, to National Crime Agency (NCA), Metropolitan Police (MSP). MI5 and UK Counter Terrorism Policing. All above agencies got all necessary data to locate every single XStealth Phone ordered by fraudster.

By consequence, every buyer will be located and questioned by law enforcement, once powering up the phone. Instead of a highly secure stealth phone, you will get a banana phone...
This is not too smart for Deniz Ok, and seems like he doesn't care about his customers which are buying those phones to avoid exactly this type of problems.

Probably Deniz Ok is not his real name. We let you know the name he use on eBay scam and other fraud, just to be aware and avoid buying or dealing with him. The same for company names he use: ABC Limited (UK) and ABC Großhandel (Germany). There are no active companies with this name in the UK and Germany, as shown below. Both UK companies were dissolved before creating his eBay account, so probably he stole and used company names and details only to give a legal appearance.

Strange thing, one of above companies had German directors and shareholders, a fact that lead somehow to Deniz Ok which is a German citizen.

In Germany, ABC Großhandel company is even strange: operates as ABC Grupp, having its headquarter in... Tallin, Estonia. The company have nothing to do with cellular phones whatsoever, being "mainly focused on the sale and maintenance of vehicles and the wholesale of food and consumer goods".

On his eBay account sec_tel_world, fraudster and scammer Deniz Ok is using as email address [email protected], pretending that his "company" is called ABC Limited, located on British Monomarks Ltd, Monomark House 27, Old Gloucester Street, London WC1N 3AX, UK.
What is British Monomarks Ltd? Well, is not a office building as you might think. British Monomarks Ltd is providing mail forwarding service, virtual office and telephone answering services. Just perfect for any fraudster and scammer that want to convince you are dealing with a real and legit company located in the heart of London, and not with a scammer located in whatever country. This way, scammer think that no strings can lead to him, all inquiries stopping at British Monomarks Ltd. All good, until above mentioned law enforcement agencies are starting to put some unwanted and cheeky questions to British Monomarks Ltd.

 Have you seen If you are not interested who actually is Deniz Ok and how fraudster work, then you should be interested in scams he do on eBay. Before reading below, just answer for yourself to a simple question: Why buying security from a private person, on eBay?! Do you buy your antivirus app on eBay, from a private person? We hope not. If you do so, then no reasons to read below.
Now, let's see: why buying "secure" cell phones from private persons, on eBay? Probably because of the cheap prices, without keeping in mind that cheap means less. Or even... nothing. And sure, you probably expect customer service, user manuals, accepted returns, extended warranty, repair and updates... from an eBay seller. Do you? If so, have fun with this. But remember that services are provided by companies and not by private individuals. Make sense to you, now? Sure, there are several small companies registered as eBay sellers, but you will never find serious and large companies selling on eBay. This is because eBay is addressing to private individuals rather than companies when it comes to sell an item. Same for eBay buyers: most of them are private persons. Have you seen other companies that manufacture secure cell phones, selling their products directly on eBay? Sure not! Boeing does not sell its Black phone on eBay. Sirin Labs does not sell their phones on eBay. Same for Silent Circle’s Blackphone. And so on. Why buying an XCell Stealth Phone from a private person on eBay, since there are official websites and resellers that provide those phones along with specific customer service, without any hustle and fear of scam?
This is why Deniz Ok sells his scams on eBay and not on a dedicated website: there is no company behind but only a single person. He is not a business man but a con man and a scammer. No need for a real company to do that, but only leaving buyers with a false sense of "serous business" he run. Not to mention the exposure that eBay can offer, even for a scammer like Deniz Ok.
This scammer can anytime delete his eBay account like he does many times before, leaving his "customers" with no help and explanations regarding phone use and various issues.

Deniz Ok is not just a simple scammer. Is all in one: fraudster, liar and scammer. A combination which make him more dangerous than usual eBay scammers. The lie he use on eBay phone description is exposed below.

As anyone can read on XCell website, XStealth Pro is not yet released (this article is published today 27th January 2022). Based on XStealth developers declarations, Pro version will be released in the end of 2022. Despite that, Denis OK is offering for sale on eBay, XStealth Pro version (since 2021!):

The funny thing is that Deniz Ok is presenting his scam as a "Real Deal". This is how scammer is lying eventual buyers.
The good news: until today, he didn't manage to scam any buyers. All stars he get on eBay account comes as buyer and not as seller, building a fake trust for novice buyers. "Buy with confidence from the 100% positive feedback" is obviously a ridiculous lie. There is no feedback as seller. He need all that ratings because of the price he is asking for XStealth "Pro". Big prices can be used only by old and trustworthy sellers, according to eBay policy. This scammer managed to bypass eBay checking.

We have to admit that fraudster is actually honest when wrote on eBay "!!!This is the REAL DEAL !!!". Yes, he is right. But... does not refer to buyers, but to himself: its a damn good deal for him, getting money for nothing.

If you think that selling banana phones as "secure" cell phones on eBay is the only scam that Deniz Ok sell, you are wrong. There is another scam he sell on eBay, even bigger: "Secure 4G WIFI router portable Hotspot VPN encrypted ~ IMEI ~ untrace stealth".

What is actually that? Well, nothing special. Is just a regular Huawei router (E5573/E5770/E5885 series) which have a built in feature that allow IMEI changing by AT commands or directly from router control panel. There is no "encrypted" connection as scammer lie on eBay. Just to make it look more complex and complicated as actually is (for unaware buyers), scammer Deniz Ok is using "Airport Express" as model name, a term which is used only by iOS devices. Not to mention that scammer is faking also device manufacturer: instead of Huawei (Huawei logo is clear shown on some pics he posted), he pretend that the brand is called "Securwifi" (?!), a name that does not exist on a simple search on Google.
Huawei router price is only about 30-40 USD. You can check it on Google. Taking advantage on regular people lack of knowledge, scammer Deniz Ok is reselling this device with 400 GBP (about 540 USD) without making any modifications to make it more "secure". Nothing. Nada. Zero. But 200% profit margin. Cool or what?
On Aliexpress.com you can find the same product he sell (and same pictures he use on eBay), with detailed description. Nothing about "special" security, encrypted connection and all that sort of lies scammer use: www.aliexpress.com/item/32981395475.html Same here. And here.

No need to pay huge prices to this scammer. Here is how you can change regular router IMEI:

Huawei mobile routers & WIFI hotspots are well known for IMEI change capabilities. Nothing new about this. But this is not enough to make a mobile router secure, untraceable and stealth, as scammer Deniz Ok pretend.
Here is why:

1. A mobile router/WIFI hotspot does need a SIM card in order to work. SIM card provide connection between router and mobile network (outer world, internet). And guess what: router will connect to mobile network trough... cell towers and not directly to internet because this is just impossible. Hence, no real security because to allow connection, cell tower (and mobile network servers) need to know 2 things about any device that is asking for connection (including mobile routers): IMEI (router ID) and IMSI (SIM card ID). Only after providing this sensitive information to network, a mobile router can connect to internet trough a cell tower. For those who don't know, there are some devices called IMSI catchers, used for location tracking, call interception and data interception. An IMSI catcher does what is supposed to do: collecting IMEI and IMSI, then using them for further operations as location tracking, call interception and data interception. Funny, isn't it?
If mobile router IMEI can be changed at will, IMSI cannot be changed unless you insert every time another SIM card. However, when mobile router will connect to cell tower both IMEI and IMSI are broadcasted over the air and used for interception purposes. If an IMSI catcher or GSM interceptor are active within range, interception, location tracking and monitoring is trivial.
When you are on the move, mobile router will connect to other cell towers (trough SIM card) exactly as any other cell phone when travelling. Hence, your location data is exposed and widely available for network provider and law enforcement (and even for hackers). Location tracking is trivial. And "security" is just a lie that scammer Deniz Ok tells you.

2. Every single mobile router does have a so called router ID: a 32-bit IP address that uniquely identifies a router in an Autonomous System. This is also vulnerable to interception.

3. Every single mobile router have a MAC address (hardware ID) which is also vulnerable to location tracking and surface attacks.

4. Every single mobile router does use a SSID (wireless network name) broadcasted in clear text over the air. This is also a vulnerability, transforming your "secure" mobile router in a sitting duck when it comes to lawful interception because will say "hey, here I am!" to any mobile interception systems.

Compared with regular cell phones, a mobile router is more vulnerable to remote attacks, interception and monitoring because is using 2 vulnerable wireless connections (since a cell phone usually have a single connection with cell towers): wireless connection with cell towers and wireless connection with your cell phone, laptop or PC. Different radio frequencies but same vulnerabilities:

Any mobile WIFI router / mobile hotspot is more vulnerable to over the air attacks than a regular cell phone. There are 2 essential vulnerabilities:

1. Wireless connection between router and your mobile device (cell phone, tablet, laptop, PC, etc.). Intercepting WIFI is trivial and more easy to do than intercepting a cell phone, due to WIFI security lack (authentication procedures, encryption, etc.) compared to regular mobile networks. As a matter of fact, tactical WIFI interception systems are way more cheap than mobile interception systems. You can find plenty of such systems on a simple Google search. Just to name few:
www.shoghicom.com/wifi-interception.php
www.tarideal.com/product/tactical-wi-fi-interception/
https://pegasusintelligence.com/sigint/#TacticalWiFiInterception
https://test2.zonetex.net/our-products/wi-fi-interception-system/
cerberussolutions.co.id/productssservices-wifi-interception-solutions/
https://spectradome.com/wifi-interceptors/
https://www.stratign.com/product/wi-fi-interception-system/

2. Wireless connection between router and outer world (regular mobile network).
Thinking of connecting your cell phone or PC to WIFI router / mobile hotspot via cable, which will reduce attack surface? Well, is remaining another vulnerable connection: data connection to cell tower that provide internet connection. If you think that your "secure" router is connected somehow directly (via cable?) to some sort of "secure" servers, you are completely wrong. This is not how it works. Your "secure" router will connect to the closest cell tower within your area (in the very same way as your cell phone does), in order to provide internet connection. Hence, no matter which kind of data connection exist between cell tower and the rest of the network: wireless connection is the weak point, exploitable by regular IMSI catchers and GSM interceptors that will intercept data connection (like this one), not to mention lawful interception systems.

Not least, "Secure 4G WIFI router portable Hotspot VPN encrypted ~ IMEI ~ untrace stealth" scam sold by Deniz Ok, is made by Huawei. Remember that back in May 2019, the US added Huawei to a trade blacklist over the company's alleged ties to Beijing, which were seen as a national security threat. So, a totally unsecure device is sold as a "untraceable stealth" router. No other comments are needed.

This particular fraudster and scammer use different methods for buyers and sellers.

If you are a buyer, scam is done pretty much straight forward: scammer pretend to sell "Real working untraceable phone from XCell Technologies brand new in box." In fact, all XStealth Phones he sell are marked and monitored by law enforcement agencies with the help of XCell Technologies programmers. This is possible because Deniz Ok ordered a custom made lot version that have vulnerable software apps installed on his demand for whatever reasons. We have to mention that regular XStealth Phones cannot be tracked and monitored even by the manufactirer (or programmers), not to mention law enforcement agencies or hackers.
This way, when you buy a stealth phone from Deniz Ok, will get no security nor privacy. Instead, you can get an entire Police squad at your door step once you power up the phone.
The same if you buy the other scam: "Secure 4G WIFI router portable Hotspot VPN encrypted ~ IMEI ~ untrace stealth" and start doing some online monkey business.

Situation is different if you sell secure cell phones, any other devices or whatever marchendise he is interested to "buy". Deniz Ok is using old fraud techniques, almost as a talenbted con man. According to XCell Technologies managing board, this fraudster will first pay for all devices he order. Then, right after shipping when fraudster is sure that the parcel is on its way and cannot be returned to seller, he will pretend that devices are defective and not manufactured based on his requests, demanding payment refund. Fraudster will keep all devices and will stop replying to any messages. Managing board mentioned that Deniz Ok used disposable phone numbers in order to contact them and assigned forwarding agent. This fraud might involve telephone service provided for Deniz Ok by famed British Monomarks Ltd.
Recently, Deniz Ok tried to scam a German reseller which is pretty new in business, pretending that he is calling on behalf of German Domestic Intelligence Service - Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz / BfV) and he want to order several dozens of stealth phones, being ready to pay for all quantity before shipping and without testing any stealth phone before payment, which is pretty unusual. Please note the same pattern used to scam XCell Technologies, before. Fraudster mistake was a beginner one: he considered his business "partner" (XCell Technologies German reseller) a newbie that have no idea about how any intelligence agency run technology aquisitions. Based on EU regulations, they have to set up a public tender even when buying office paper and pencils, not to mention hi-tech devices that cost a lot. Also fraudster Deniz Ok didn't prepared his fraud very well: he had no idea that BfV does not buy directly interception and security devices, because they don't use that directly. All technology is bought trough 2 support and research agencies for law enforcement and BfV, called ZITiS (Central Office for Information Technology in the Security Sector) and BSI (Federal Office for Information Security) with competences in information security and cyber security. So, German reseller realized that is a fraud on its very beginning, having fun with fraudster and playing with his nerves. In the end, fraudster tried to scare the reseller, threatening with BfV revenge, which was the most funny part of his failed fraud.

If you are a buyer or a seller, just don't buy or sell anything from or to Deniz Ok and its related scam companies ABC Limited and ABC Großhandel. Keep in mind that scammers can change name, address, "company" name, can use other new eBay accounts to avoid to be discovered as scammers. But will never change the way they scam. Just stay away from this.
In case you have bought such device, call the Police and register a fraud complaint. Also report the account and products to eBay customer service. If really lucky, you can get a full refund for the scam.
If you really want to buy and not sure if you will buy an authentic Stealth Phone, you can contact us at any time, or you can contact devices manufacturer and its official distributors. Never get scammed again.
You can help others avoid secure phone scam, by distributing this article.

"Business" basic steps:
1. Buy a non-compatible Samsung G600 (instead of Samsung G608) with 15 euro.
2. Flash fake "stealth" firmware which does not work.
3. Steal a real background image from a genuine stealth phone, and then insert it on a fake stealth phone.
4. Sell fake stealth phone on eBay with cheap prices, to bargain lovers and non security-aware people.

The mistake he did, so we can reveal the scam: showing A5 change alert settings screen, where HandOff function is not used anymore by genuine XCell Stealth Phones, being replaced with AntiInt (Anti Interception) function. That outdated function is contained by an old firmware version (1.0) which has been partially copied and implemented on fake stealth phones as the one we discovered here.

There is just a single and simple thing you can do when not sure if Stealth Phone you intend to buy is genuine or not: contact manufacturer (click here) to confirm product authenticity. And remember: a cheap item that only look like original is usually fake.

​If you cannot convince them, confuse them. This is the basic for selling lies. And very basic for anonymous SIM card scam.

​There is no way to make a phone call from your cell phone without a SIM card, unless you are calling emergency numbers or you are using app voice calls via WIFI (as Skype or WhatsApp). But because scammers are trying to sell you a SIM that pretend to be "anonymous", that SIM might use a cell tower. Also, even when using data voice calls instead of regular voice calls, your phone will connect to nearest cell tower (data connection channels instead of voice channels). Unless using WIFI, there is no way to circumvent a cell tower if you want to communicate. A cell tower means mobile network, servers, SS7 vulnerabilities and exploits, IMSI Catchers, GSM Interceptors, location tracking and monitoring. Least but not last, mass surveillance.

​Are you a happy buyer of one of those Anonymous SIM cards? Are you sure that IMSI is protected and your SIM security is "hardened"? Well, time has come now for a small and quick test.

Most of people have no idea what IMSI is, and also no idea on how to get it from their own SIM card. Moreover, they have no idea what can be done when someone is getting IMSI from your SIM card. So let's start testing. No need for any technical skills, special knowledge or payments.

​Anonymous SIM card vendors pretend that card security is "hardened" and IMSI is not revealed to interception systems due to some security tricks.
Whether you have a classy Android or swanky iPhone, you can test your new bought "anonymous" SIM card, right now. Just go to Google Play or App Store and install any app that shows your SIM card info. Example: Whats My IMSI.
On iPhone is even simple: go to Settings menu and from there you pick "Mobile Data". Choose "SIM Applications" and that's pretty much you have to do.

Got your IMSI now? Good. Now you can throw away your "anonymous" SIM. And have a look on your window: your "protected" calls might actually "call" the police straight in front of your gaff.

The IMSI you can see is being used by your phone when connecting to any cell tower, in order to make/receive calls and messages. There is no other way around. The phone cannot connect directly to any "telephone switchboard", as scammers pretend. Because "telephone switchboard" is not a cell tower. Your phone call is routed first trough local mobile network, then trough SS7 network, to recipient mobile network. In this particular case, your phone call is also routed trough your "anonymous" SIM issuer servers located in Russia, before reaching recipient local network. Hence, instead of "hardened" security you've got less security than you have expected. And sure, with an extra payment which will make you think that is serious yet affordable security.

Google for SS7 attack, SIM Toolkit attack, IMSI Catcher to see how IMSI can be retrieved over the air and then what can they do with it.

​Buy cheap pay as you go SIM cards and sell them as anonymous SIM cards, with 500% profit margin.

Straight forward: there are no anonymous SIM cards. This is technically impossible. All of them are just a big time scam that take advantage on lack of knowledge from regular people. And nothing more.

Fact: there is no SIM card without an IMSI.
Fact: there is no connection to a cell tower without IMSI being used for connection purposes.
Fact: even data only SIM cards have an IMSI assigned by the manufacturer.
Fact: there are so called IMSI catchers, designed especially for call/SMS interception based - as its name says - on IMSI.
Fact: if you can call whatever number or you can receive calls, that means your phone is connected to a cell tower, by using voice/data channels.
Fact: once connected to a cell tower, almost ANY cell phone location can be (and it is) tracked by various technologies and systems, taking advantage on mobile network weaknesses or mobile network nodes (SS7).
Fact: once connected to a cell tower, any phone call can be (and it is) intercepted, no matter if voice call is routed on standard voice channels (regular voice call) or on data channels (as Skype, IM, WhatsApp, etc.).
Fact: not the SIM card is choosing the cell tower to connect on it, but the phone. This is the way that all mobile networks are designed (no matter if 2G, 3G, 4G, etc.), a SIM card being only used to identify a certain subscriber.
Fact: the phone number is not stored on the SIM card. Phone number is stored on mobile network servers (HLR/VLR) and cannot be altered/changed directly from the phone/SIM. A phone number can be altered/changed ONLY by using data connection and 3rd party servers. Some particular "russian SIM cards" are using standard voice channels that still route the call trough some russian server, where in fact take place voice changing, and only then the call is routed to call recipient.
Fact: ANY SIM card is encrypted by default, using comp128 algorithm. There is no other encryption that a SIM card support. This is meant for anti-cloning purposes. Some early comp128 versions has been compromised, old SIM cards (until 2012) being easy to clone.
Fact: ANY regular phone call on ANY mobile network (no matter if 2G, 3G, 4G, etc.) is encrypted by default. Otherwise, anyone with a radio receiver can intercept that call. A SIM card CANNOT ad another layer of encryption on top of existing one, nor additional encryption.
Fact: ANY SIM card is trackable and any phone calls and SMSs done with a SIM card can be intercepted.
Fact: IMSI is not the same with phone number, nor with ICCID. IMSI is stored on SIM, since phone number is stored on carrier servers.
Fact: IMSI is not printed on SIM, but ICCID.
Fact: anyone can figure out its own SIM card IMSI, by using freely available apps (both on Google Play and App Store). If you average Joe can do this, then law enforcement or hackers can do that remotely, over the air.
Fact: IMSI change is possible by sending special requests to SIM issuer (the mobile network that issued that particular SIM). The request cannot be sent directly by the SIM user but by other company, in his name (used for example when porting a phone number). Changing IMSI this way is not a standard procedure, despite the fact that IMSI change is mentioned on GSMA and 3GPP procedures. Fraudulent MVNO companies (mostly russian) are taking advantage on this procedure, enforcing the law because the MNO doesn't care, changing SIMs IMSI based on user direct request.

Started back in 2014, anonymous SIM card scam refers to a few types of SIM cards that are being sold to people without a decent knowledge regarding mobile networks:

1. Pay as you go SIM cards (aka prepay SIM)

Some European countries as well as non European ones still issue pay as you go SIM cards with no need to show any personal ID and with no prior registration. This type of SIMs are considered "anonymous" just because there is no connection between user name and phone number. There are no other "special" features or "security hardened" things, whatever that means. At first sight, using a pay as you go SIM (eventually issued by a foreign carrier) looks as an advantage for SIM user. But stepping down on real life, this is what is happening: when a suspect is using whatever SIM, law enforcement ground teams are using IMSI Catchers and/or GSM Interceptors that collect both SIM IMSI and phone IMEI, for further tracking and monitoring. Hence, doesn't matter if the suspect is using a pay as you go SIM: IMSI catcher has done the job, matching all together: suspect identity, SIM identity (IMSI) and phone identity (IMEI). Simple and effective. A good article regarding this type of anonymous SIM scam can be found here.

2. SIM cards that have so called "multi IMSI" option.

This is nothing unusual, and are not adding any additional security to phone calls or location tracking. Just google it by yourself. Multi IMSI SIM cards are sold worldwide by various carriers as SIM cards for frequent travelers which can have up to 4 different IMSIs, corresponding to 4 different phone numbers. The user can choose which IMSI (phone number) is used at a time, by local low rates policies. Nothing to do with additional security or dynamic IMSI change. This type of "anonymous" SIM cards create a false security feeling just because user can alternatively choose from 4 phone numbers to use. Any multi IMSI SIM card can be tracked and intercepted as any other SIM card.

3. Russian "anonymous" SIM cards.

These are SIMs issued by russian MVNOs, which have assigned 1 or multiple IMSIs (up to 4). To place "anonymous" calls, the phone (along with the SIM) will connect to the closest cell tower, by disclosing both IMSI and IMEI. There is no other way around. IMSI and IMEI have to be used in order to connect to the network. Hence, no anonymity: since IMSI and IMEI are disclosed, a wide range of tracking procedures (SS7, GSM Interceptors) are possible, also call interception and SMS interception are just a kids play. Going further, the call is rooted from local mobile network (which is the first weak link that instantly disclose user identity), to russian MVNO servers, where phone number and voice are eventually changed (if user choose to use voice changing and phone number changing), and then the phone call is finally reaching the recipient number. What this clowns are trying to hide from you by taking advantage on your lack of knowledge regarding GSM network standards and specifications is the call route: instead of standard call route (simplified: cell phone > cell tower > core network HLR/VLR > network switch SS7 > russian MNO > russian MVNO servers > russian MNO > SS7 switch > recipient network HLR/VLR > recipient local cell tower > recipient cell phone), they claim that the call originating from your cell phone does not connect to any surrounding cell tower but to some sort of "telephone switchboard", which obviously is not technically possible. Do not forget that even when using data connection to place a IM call (Skype, WhatsApp, etc.), your phone will connect to THE CELL TOWER, by using the same IDs: IMSI and IMEI. In other words, unless you are using WIFI, any call will go trough nearest cell tower, no matter which SIM you are using. With a lot of nonsense blah blah and using apparently a technical vocabulary just to make you think they are professionals and/or skilled hackers, a vocabulary that in the end of the day will probably convince you by confusing you, scammers succeed to sell SIM cards as "anonymous" SIM cards.

We all know that SS7 network is compromised, but it takes more than a few keystrokes to abuse the SS7 network: it takes expertise, money and more important - SS7 access. But from what we have seen, once attackers have all 3 they are making sophisticated use of SS7, because once you have this ability, you want to exploit it fully. The real problem with these unscrupulous russian MVNOs is the access they have to SS7 nodes based on contracts they have with other international carriers, access that make available for them a wide range of SS7 exploits, including call interception and location tracking.

 * Anomalous, but not malicious traffic. This can be everything from malfunctioning nodes, attempting to send for all subscribers rather than their own, to unusual implementations of legitimate services, to anything else which is not known to be malicious. The skill here is in identifying this and making sense of what is malicious and what isn’t – not always easy to understand.
 * Malicious attacks, up to a medium-level complexity. These are the more well-known location tracking, fraud and information harvesting attacks, and were the main type of attacks that operators encountered when they started to investigate SS7 security in depth. As time has gone on, the perception of ‘simple’ has risen in complexity to cover more and more types of attacks.
 * Malicious attacks, of advanced complexity. This is the type of attack that takes investigation to even identify in the first place, and once identified requires detailed understanding of what the attacker is trying to achieve and how, in order to build consistent defense against it. These are the most advanced type of attacks they will increase in complexity as time goes on.

We are actually seeing a progression over time (i.e. over the last 2 years), where some of the attackers who have access to the SS7 network have progressed to trying to use more and more sophisticated methods to achieve what they want, especially now that a large number of operators have begun to implement defense. Most relevant example: ULIN.

One more thing: as always when something is too nice to be true, you never know who is really hiding behind that servers. You have no means to check that russian MVNOs and its hidden strings that eventually lead to local intelligence services.

4. Writable/Programmable blank SIM cards, widely available on Alibaba and other Chinese web shops, also on eBay and Amazon, at really low prices that comes in bundle with read/wright device and software. This way, you can make your own SIM card, with any IMSI.
This is all you need:
a. A programable blank SIM card
b. SIM card Reader/Writer device
c. Software (usually 128k Milenage algorithm and XOR algorithm, Matching the standards of GSM11.11, GSM11.12, GSM11.14, GSM11.17)
The (big) problem consist in Ki (encryption key) which need to be written on that new SIM. You need to know the Ki key, and there is no way to retrieve this key 99.9% of the time from another SIM card, because it is only known by the operator itself. This is why SIM cloning (comp128 v2, v3, v4) is not successful.
Ki problem can be easily solved by a malicious MVNO, which know the Ki and can program its own blank SIM cards.
Chinese vendors has solved this: SIM factory can program the SIM for you when ordering in bulk, including custom printing as you can see on most "anonymous" SIM cards. See it in action:

​Even if Ki is known, once written, the new "anonymous" SIM card will encounter real security issues that make it more vulnerable than a regular SIM, nulling this way the IMSI change function:
a. does not support GSM 11.14: digital cellular telecommunications system (Phase 2+) - specification of the SIM Application Toolkit for the Subscriber Identity Module - Mobile Equipment(SIM - ME) interface.
b. does not support GSM 03.48: security mechanisms for SIM Application Toolkit - Stage2 (GSM 03.48 version 8.8.0 Release 1999).
This mean that the SIM card is vulnerable to a wide range of remote SIM Toolkit attacks.
c. comes with STK menu that supports various applications, which can be updated by OTA download. That means you are not in control of your "anonymous" SIM card: various and potential dangerous executables can be downloaded and executed on your SIM, without your consent and acknowledgement.

Just google it. Crowds of scammers using tens of websites, eBay and Amazon accounts are trying to scam you big time with "anonymous" SIM cards. You can even call them, asking more explicit about how anonymous SIMs work. No doubt, you will get as many explanations as scammers are. Every single one will come up with his own evasive explanations, sometimes even hilarious for an advised person. Those are "professional experts" type. The other ones - "honest" seller type - will simply reply that they are only selling those SIMs, and more explanations can be found on manufacturer website.

​Judging only by the number of items sold via eBay and Amazon, there are thousands of fooled people. And their number is still on the rise.

Beside billing, phone number changing is a feature that work. On the other phone you are calling will appear always another phone number that is calling. At first sight, this is a stunning security feature for most of users, which will certainly impress the buyer that can see a live demo of the feature. But:
Phone number changing take place on their servers, so the phone number will be changed only when routed call will arrive on their servers, on its way to called cell phone. The call is leaving your cell phone with the same IMSI and phone number every single time, and changes are done only when your phone call hits the server.
From the point of view of an IMSI Catcher or SS7 attack, NOT the phone number is relevant, but the IMSI. This is why interception systems are called "IMSI Catchers" and not "Phone number catchers".
And yes, your cell phone location can be tracked and your calls can be intercepted as any other ones. From law enforcement point of view, changing phone number have no relevance when it comes to call interception and location tracking just because the phone number is NOT STORED on SIM card. Phone number changing is actually the single feature that can be tested by the user, which will convince any skeptical person to buy a anonymous SIM card.

Find out more

source

​Back in 2014, some Russian white hat hackers have revealed Anonymous SIM card scam. Read below their study and conclusions.

​"If encryption made any difference, they wouldn't let us use it", said someone.

Encrypted calls are protecting you from the ones that don't want to (or cannot) intercept your phone calls, and does not protect you at all against the ones that can intercept your calls - law enforcement, homeland security and intelligence agencies. Make sense to you? If not, please read below.

Most people think that call encryption is the Holly Grail of secure communications, being also a mainstream when it comes to software development for mobile security. Why is that? Because of 007 movies? Not at all. Because is the only product you can find on nowadays security overcrowded market. From hardware devices to sophisticated software applications, all claim that encrypting your mobile voice calls is the best you can get and there are no other trustworthy solutions. Unfortunately encrypted calls does not offer real security when you are targeted not just by (abusive or not) law enforcement, homeland security or intelligence agencies, but worst, even when you are a target for a skilled hacker.

You don't have to trust us. Just google for voice call encryption hack and tons of articles are available at a glance.

For those of you that use voice encryption products on mobile phones the last thing you would expect is for it to be easily decrypted and intercepted. You may have shelled out good coin for your application and rely upon it for your intellectual security, but what if that security was not as tight as you had imagined, what if a readily available wiretapping utility attainable by anyone, and a simple Trojan slipped on to your device could compromise all of your calls?

Back in 2010 blogger, hacker and IT security expert Notrax has done just that. For his own safety we will not reveal his name, however, Notrax has discovered that 12 commercially available mobile voice encryption products can be intercepted and compromised using a little ingenuity and creativity as he has carefully detailed on his website.
He tested 15 voice encryption products in total, 12 of them were “worthless”. It’s easy to take the software at face value when it “tells you” that the call is secured. But how does someone actually go about being sure that it is secured? Notrax did some digging and discovered he could break in to almost all of them in under 30 minutes.

Secure means that Notrax did not manage to crack it. It does not mean that someone else would not be able to crack it.

These calls can be tapped by anyone that has basic technical skills or the money to back up such an endeavor. “Statistics show Government agencies on average conduct 50,000 legal wiretaps per year (legal= those where a court order is required), (Let’s not forget Echelon) another 150,000 phones are illegally tapped by private detectives, spouses and boyfriends and girlfriends trying to catch a potential cheater. Another estimate shows up to 100,000 phones are wiretapped by companies and private industry in some form of industrial espionage. It is happening and it is a big business.”

SnapCell was safe, it’s a private encryption device that snaps on to your mobile, they claim to protect your mobile voice, fax and data communications from wiretapping, eavesdropping and line interference. SnapCell’s website has been offline since January 21st for unknown reasons.
If you are using one of the above voice encryption technologies, you may want to be on the lookout for a new solution, as XCell Stealth Phones. Although these applications cracked are not entirely secure, it would take much effort to bypass them, like having the attacker be able to load software or a trojan on your phone without you knowing. It’s similar to a credit card, so as long as you keep it with you in a secure place you should be fine for the most part.
How govt is using spyware to circumvent call encryption? Read more here.

Think that LTE mobile networks are secure? Well, think twice: hackers decrypt VoLTE encryption to spy on people calls. More here.

Though using of encryption to protect your privacy might be the prudent choice, the method has its own disadvantages:

• Because a cell phone (no matter brand, OS, ram or chipset) does not have enough computation capabilities to encrypt/decrypt a phone call locally, voice encryption take place on 3rd party servers. That means your voice encryption app that you just installed on your "secure" smartphone act like a link to encryption server. This way, only by using data connection (WIFI, etc.) and stepping out on phone outer world you can use such application. The problem is that a server is actually someone else computer. You can't find out who is really hiding behind that servers. Some manufacturers of cryptographic equipment have a track record of hidden cooperation with intelligence agencies and interested private companies. Some of them are not even using publicly scrutinized and standardized crypto algorithms (like Diffie-Hellman, SHA256, AES and Towfish), but “proprietary” encryption methods that are not available for public evaluation. Several “proprietary” crypto-algorithms that were not subject to public review have been shown to be easily breakable in the past, like the COMP128 algorithm that is in use in many GSM networks for authentication, so the “proprietary crypto” approach has to be regarded as very risky. In the end of the day that means you have no real control on your voice calls.
• Introducing a back door into a crypto system does not even require active cooperation of the manufacturer of the equipment or software. All it takes is one bribed programmer to compromise an entire product.
• You never know if encryption solution you use is indeed trustworthy and there is no reliable way to check it. Most of the encryption applications developers are not making public the source code. There can be (and most of the time there are) back doors used by law enforcement agencies. Sure, you can find source code for some encryption apps, which are made available for public by the developer itself. Unless you are not a cryptographer or cryptanalyst, there is no way for you average Joe, to find out if some security flaws affect your encryption app.

Open sesame of encryption solutions
Will you use an encryption app that have servers located in let's say... North Korea? Probably not, but you have to reconsider your opinion. Shortly saying, the more consolidated a democracy is, the easier is for law enforcement to get access to encryption servers, based on a simple warrant. All that because consolidated democracy countries know what we call the rule of law. Since encryption apps are not developed out of this planet and all encryption servers reside in some county, Govt and related institutions have a simple tool called judge warrant which will instantly "open" any "encrypted" server used for so called "secure" communication. Yes, its a matter of time. But in the end they will get a plain text or plain voice copy. Not to mention that NSA and other similar actors have tools and solutions that effectively circumvent any encryption apps, used nowadays to find out in real time what they are looking for.

Using voice call encryption might make you look suspicious and attract unwanted attention on you, exactly from the ones you are trying to hide from. Its like a ringing bell attached on your tail. Have a wild guess on what they will do in case the you use an encrypted cell phone. For sure they will use some other ways to get the info they need. They will not wait to find some security flaws in your crypto app, they will not attempt even deciphering. They will simply bug your home, office and vehicle, will spy on your computer, will intercept your mail and will use covert human intelligence sources (HUMINT) and whatever it takes to obtain relevant information about you and your activities. They can easily bypass the communication protection provided by the encrypted phones by simply collecting relevant information from other sources. Simple as that. Yes, its not on real time. But can be very close to that.

If you are targeted by an intelligence agency, encrypting your mobile communications does not mean that you are 100% protected against eavesdropping. Think about that: will they drop you just because you use encrypted communication? No, for sure.. Being a challenge for them, will find another ways to get the information they need. Sure, for a short period of time your secrets will remain... secret. But any decent agency will find at any time security breaches, gathering info they need about you, by any means.
Actually by encrypting your phone conversations, you are telling them that you have something important to hide and you invite agencies to use other ways to gather intelligence.

When using encryption over standard mobile network voice channels (not via data connection) like that encryption devices attached to your cell phone, that encrypted call is not so... encrypted as you think. Yes, will defend against call interception performed by spyware apps installed on your phone, because phone microphone is not used during encrypted call sessions. But even if you use such a device, the GSM operator or the entity that operates a GSM interceptor can find out pretty much information such as:

• both phone numbers involved in conversation
• conversation length, time stamped
• your (phone) location at the moment of call
• your geo-location at every moment, by some simple and effective triangulation techniques, based on your phone IMEI that cannot be hided by any encryption app. Once you power up your crypto phone, IMEI and IMSI (if there is inserted a SIM card) will be sent out to network, for connection. No need to make any call or send any SMS. This is the way that all cell phones work, including your crypto phone.​

• Modern GSM interceptors can selectively and temporarily block any cell phone within its range based on IMEI and/or IMSI values, making that particular crypto phone unavailable for use, for as long as they want. This happen when a crypto phone uses data connection in order to make encrypted calls.
• It is well known that cell voice encryption need high speed internet connection. Many modern GSM interceptors can downgrade your crypto phone connection from 3G/4G to 2G, by simply jamming 3G/4G uplink frequencies, which is a standard procedure. By doing that, crypto phones that use data connections will fail and become useless.

Not even notorious encrypted cell phones are immune to this attack. Few years ago, an average Joe posted on YouTube a short movie demonstrating how a well known app used for enterprise encrypted communications - GoldLock - can be defeated by a cheap commercial grade spy app called FlexiSpy. Because he had the phone in his hands with GoldLock already installed on, he installed also FlexySpy on the same cell phone. He started an encrypted phone call with another GoldLock phone. Entire conversation was recorded by FlexySpy in clear, just because FlexiSpy collect audio straight from the microphone, way before GoldLock proceed to voice encryption. Then, when conversation finished, was automatically sent by FlexiSpy via WIFI or data connection on a server where could be listened from user personal account. Simple, efficient and embarrassing for a top notch encryption application. You can do whenever you want the same test.
By some reasons, the video was removed from YouTube so we cannot post a link. Also since then, no more free trial apps are available from GoldLock, avoiding other similar situations. However, that does not make GoldLock less effective for private users, being by far one of the most secure communication application.
And yes, the same can happen with your "secure" cell phone.

This is why voice call encryption is a short time solution for secure communications. In fact, being predictable is one of the worst choice on intelligence battlefield. And using a crypto phone means that you are more than predictable.
When using any voice encryption solution (software or hardware), you will never know when actually your cell phone is intercepted, and by consequence you will never know when you are in real danger. Instead of crypto phones blind protection, it is better to know when someone attempt to tap your calls and when they are trying to locate you. Then you can act advisedly, taking the right decisions and even influencing them by different deception techniques. Here comes XCell Stealth Phones, which brings you the best of both worlds: interception detection and interception blocking. Detecting interception in real time and on the right time is really something else than using blind encryption, an advantage that is used by professionals against... professionals.

Based strictly on customer request and if we are sure that customer fully understand all security risks he take, a voice encryption app can be installed on XStealth Lite and XStealth.

source

Surprisingly for most people, the phone number (called MSISDN in terms of mobile networks) is not stored on SIM card, which contain only SIM ID, called IMSI (International Mobile Subscriber Identity). By consequence, there is nothing that can be changed locally in a secure way, on SIM level. This is why XCell Stealth Phones can change/manipulate IMSI and cannot directly change phone number.

Hiding Caller ID is something else than changing phone number and depends on your cell phone and mobile network settings. The result is just a Unknown call received by the call recipient. Read more here.

At first sight, voice changing might look easy to be implemented on a cell phone, but real time voice changing needs powerful chip sets that usually mobile phones does not have. This is why all voice changing services or applications are using external servers or external devices attached to a cell phone. Hence, no real security for phone user.

A voice changer is not really necessary when it comes to phone monitoring done by law enforcement agencies: they will know exactly your identity, location, calls and messages path, the voice content of your calls and text content of your messages, etc. A voice changer will give you a false sense of security, unless you intend to use it for a prank. Also, in the past 3 years interception systems that use voice recognition feature for automatic target detection and call recording is not used as primary filtering tool, due to the fact that sample voice (needed for voice recognition) sounds different from phone to phone, due to different hardware capabilities. Hence, false positives emerging with an unwanted high rate. Read more here.

Before everything, let’s face it: who do you really fear?
There are not so many hackers around that can actually track your cell phone, because of few simple reasons: expensive hardware needed, lack of knowledge regarding GSM stack and SS7 protocol effective exploits, not to mention that hackers have no interests on you, average Joe. Excepting your worried parents and jealous girlfriend, no one wants to know your (cell phone) geo-location. Tracking a cell phone is not a simple “push button” situation when is done by a hacker. That involve deep and extensive knowledge, pretty expensive hardware, time and not least, an considerable interest on you, average Joe. Which obviously is not the case unless you are just another skilled hacker or a high profile person.
The situation became serious when you did something bad or even illegal. Then, you became a target for law enforcement and/or intelligence agencies. And there is no way to hide your (cell phone) location. They have not only the legal ability to track down your cell phone at any time, but have also technological and human resources to do that, not to mention training and expertise.
In case you think that your own cell phone is secure, its time for 2 simple tests.

TEST No. 1: NETWORK TESTING BY EMERGENCY CALL.

Read more here.

To be honest with you and also with XCell guys, their old website doesn't look too nice. In fact the look was pretty obsolete with that old HTML version. But now everything is changed and you can navigate on a brand new web shop: https://stealth-phones.com
However, not the website look is important but the new products you can buy there, now without any sale restrictions as they had before on the old site (x-cellular.com).
There is also a page that we appreciate more than others: The Blog. After getting permission, we will start posting some interesting articles from their blog.

Before reading:
Please note that we do not sell any devices, this is not a web store. We are not related to XCell Technologies, nor a subsidiary. If you want to buy any Stealth Phones, please contact manufacturer.

XCell Technologies has launched on 1st January 2019 their new flagship product: XStealth, an epic Android based Stealth Phone. Announced as a game changer, XStealth is one of a kind Stealth Phone. No other "secure" mobile phones have the same special functions and capabilities as XStealth have. Now, you can stop hiding. Be invisible and fight back with XStealth Phone.

Mobile technology has never played a more important role in personal security and basic rights than it does right now. XCell Technologies is uniquely poised to address the dangers of mobile interception used illegally or abusively by state towards its citizens, following shortsighted policies.

The next big thing is here. There was no perfect Stealth Phone, until now. The upcoming generation of Super Stealth Phones has been successfully rolled out.

There's been a lot of talk about Android Stealth Phone since 2014, when XCell Technologies released their first Android Stealth Phone, under Law Enforcement Product Line. Took them 4 years to develop the most advanced, the most secure Stealth Phone they have ever built. Excessively tested on all major interception systems, intensively used by field operatives and confirmed by their main clients as the most suitable for covert actions, when being a step ahead your enemies can be the difference between failure and success.
Based on XStealth military version released back in 2014 and stuffed with new and unprecedentely special functions, XStealth is now available for public use.

What do you want from a Super Stealth Phone? Everything, probably. After all, it's about your security. Well, with new rolled out XStealth Phone, you've got everything. And the best is yet to come.

Android Super Stealth Phone comes now in two flavors. Since XStealth Lite has been built for personal use, XStealth devices are aiming professionals ranging from govt to law enforcement and homeland security agencies. XStealth Pro is also coming as top notch product.

You can read more abour XStealth special functions, below. We hope that will get out hands on new device soon, for testings and first impressions.

While the rest of the market is going one way, with text and voice encryption, XCell Technologies is going down another, to the heart of problems, sticking with privacy and security based on interception detection and fighting against interception by using quite the same network weaknesses that IMSI Catchers and GSM Interceptors use. XStealth Phones are actually the only ones that can effectively fight back mobile interception, by using both defensive and offensive security methods.

Get the most out of your Super Stealth Phone, with our breakdown of specs:

First, about XStealth hardware security.

There is a kill switch to self-destruct on command even if the phone is turned off. As no other secure phones, XStealth USB port is protected by our well known volatile security filters: any attempt to connect the device to any other external device (no matter if PC, service box or forensic grade equipment), other than its own paired charger, will trigger a self-nuke mechanism that literally fry the whole motherboard in the same way as USB Kill work.
Anti-tamper JTAG protection is also implemented: serial communications interface for low-overhead access without requiring direct external access to the system address and data buses are disabled by default at  serial interface level.

XStealth Phones use a Tamper-Resistant Platform: any unauthorized attempts to connect the phone to any external device will delete the keys that encrypt all sensitive data. A remote wipe function is also available.
Authentication to login to the phone uses multi-factor (MFA) technology, voice biometrics being one of them. Due to security risks involved by face and fingerprint recognition login, these options has been removed.

Trusted Execution Environment (TEE) uses encrypted memory and includes a hardware random number generator. Communication between the Secure Environment and the application processor is isolated to an interrupt-driven mailbox and shared memory data buffers.

There is also installed a Data Execution Prevention (DEP) technology to mitigate memory-based attacks. This defensive technology dramatically narrows the attack surface area for memory related exploits by preventing code from being executable in sections of memory that have specifically allocated for read only data. DEP support is a critically important defense when used in conjunction with Address Space Layout Randomization (ASLR). These core improvements make it more difficult for spyware to perform buffer overflow, heap spraying, and other low-level attacks. Therefore, even if an attacker succeeds in loading the spyware code into memory, the spyware code will not execute.

XStealth Phones are not susceptible to side channel attacks, including various forms of power analysis attacks to ensure the protection of cryptographic keys.

XStealth Phones has the ability to execute a secure boot based on using a hardware root of trust for checking and storing hashes or signatures of firmware and other software loaded starting with the initial BIOS.

XStealth Phones have separates CPU from Cellular Baseband, preventing this way external manipulation by baseband attacks.

Now about XStealth software security.

Today too many apps are engineered to collect and disseminate enormous amounts of user data—such as location, Web browsing histories, device-unique IDs, search terms, and contact lists – data they often simply don’t need. Some app providers also try to obfuscate their data collection functions to get around restrictions by marketplaces such as Apple’s that are intended to prevent abuse of APIs and ensure better privacy for users. For example, researchers have recently discovered hundreds of apps in the App Store that extract personally identifiable user information via private APIs that Apple has forbidden them from calling. The abuser that was singled out – a Chinese mobile advertising developer called Youmi – used simple obfuscation techniques and dynamic linking to get around the application vetting checks performed by Apple. Same for Android platform, on weaker Google Play Store.

XStealth Phones runs a special version of the Android operating system—XROM—that blocks many of the ways phones leak data about your activities. XROM is an Android fork developed by XCell Technologies; it uses Google’s code for the underlying platform, but skips Google Services in the same way Amazon’s FireOS does.
The connection between XROM and software applications is filtered by Secure X-OS bridge, keeping both firmware and software applications away from exploits. Obfuscated code is adding an extra protection layer.

XStealth Phones does have Android trackers disabled by default, leaving no traces on Internet.

XStealth Phones comes with preinstalled generic applications which we have modified certain features (like removing back doors used by law enforcement and some security flaws), adding a plus of security and privacy (especially for Yahoo and Hotmail clients). This is why we have blocked any OTA software update which can restore security issues. Software updates usually refer to compatibility with new Android versions, which is not  our case and will not impact application workflow.

Regarding anti-virus application and software updates:

XROM firmware is secure by default: no other software applications can be installed by the phone user (which have the phone on its hands) nor remotely, by obscure third parties or abusive law enforcement. Hence, no anti-virus software is needed. Also, XStealth Phone will not perform any OTA firmware/software update, which may lead to remote exploits. You have to understand our point of view and hopefully reconsider your approach when it comes to mobile security: XStealth Phones are not aiming average users. All our Stealth Phones has been developed for professional use: intelligence agencies, law enforcement and homeland security. All above entities does not relay on encryption when it comes to secure communications because of a simple fact: all mentioned agencies have legal access and gain information they need by using back doors provided right by the software developers. If there is no cooperation from developer, then they will use another effective methods to gain access to relevant info, other than the ones used by hackers. There are plenty of companies that provide a wide variety of methods to penetrate any system such as computers and mobile phones. FinFisher is one of them: "Our Deployment Methods & Exploitation Solutions cover the latest PCs, smartphones, tablets and most common operating systems." "FinFisher can be covertly installed on targets' phones by exploiting security lapses in the update procedures of non-suspect software." "The software suite, which the company calls "Remote Monitoring and Deployment Solutions", has the ability to take control of target phones and to capture even encrypted data and communications. Using "enhanced remote deployment methods" it can install software on target phones." FinFisher malware is installed in various ways, including fake software updates and security flaws in popular software. Sometimes the surveillance suite is installed after the target accepts installation of a fake update to commonly used software. The software, which is designed to evade detection by antivirus software, has versions which work on mobile phones of all major brands.

FinSpy is a field-proven Remote Monitoring Solution that enables Governments to face the current challenges of monitoring Mobile and Security-Aware Targets that regularly change  location,  use encrypted and anonymous communication channels and reside in foreign countries. FinSpy is bypassing 40 regularly tested Antivirus Systems. Hence, no point to install an anti-virus as you have mentioned. XCell Technologies have opted for another effective solution to circumvent malware and harmful software install.

Please see also this short movie regarding remote mobile surveillance by "updating" a BlackBerry cell phone application: https://www.youtube.com/watch?v=n5ZJUXweayo

Even worst, also a not so skilled hacker can easily remotely install a spy application on a mobile phone which will not be detected by any antivirus, by the same "software update" procedure: https://www.youtube.com/watch?v=LicdrZwmHQo

There is a FinSpy detection algorithm installed deep on XROM firmware that will not only detect any intrusion attempt, but will block any code execution.

Encrypted bootloaders comes as standard option.

XStealth Phones are also using SIM Toolkit inhibitor, a blocker for remote code execution via SIM Toolkit (used usually by both network operator and law enforcement).

XStealth Phones use adaptive security defenses, being ultra-secure and adaptive [personal] smartphones: we will install before shipping any software application desired by the buyer, but only after running a comprehensive security audit. We will refuse to pre-install applications that can affect user privacy and security, and phone functions. No file explorers will be installed, as well as forensic clients or modded applications.

There are also things that we will not make them public available, as encryption algorithms used and firmware source code, simply because for any cryptanalyst will be more easy to break encryption when used encryption algorithms are known.
Also, a user controlled source code is not an option for XStealth Phones: that might be a huge opportunity for hackers and state controlled entities to find exploits, remote install/RAT or spyware which in the end of the day will lead to no security.

Please see below a list of special functions and default software applications.
Special functions command panel is password protected, accessible only by dialing a secret code.

1. Calibrate. First time when you activate the phone, you should run Calibrate function: the phone will self-calibrate, testing GSM network and saving data regarding home network, which is a part of auto-learning process. It is essential to use a new SIM card (no matter if contract or prepay) and to be in a safe place (connected to a real GSM network).

2. IMEI Change function. The user can control the way IMEI is changed (after every event as phone call or SMS, on network/IMSI Catcher request, etc.), and also can define its own IMEI, performing this way different protection scenarios. More info on User Manual.

3. IMSI Change function. Once enabled, the phone will start SIM cloning, generating valid IMSIs which are used for the next calls and messages. There are no other cell phones that can perform IMSI change. Please note that no Internet connection, third party servers or special SIMs are needed. Also, no monthly fees or other strings attached. Will work virtually with any SIM card, but we recommend using MNO SIM cards.
NOTE: This function is not available for XStealth Lite

4. Mode: the user can switch between Hunting Mode (call/SMS interception detection) and Anti Interception Mode (no calls and messages can be sent or received as long as phone interception is active, no matter if GSM Interceptor or SS7 means are used).

5. A5 Alert. Once enabled all, phone user will be warned in real time if voice and data connections are intercepted.

6. Location Tracking Alert. Once enabled, the phone will warn if a location tracking ping is received.
Ki extraction alert: every time when a GSM Interceptor is trying to get Ki (encryption key stored on SIM card) by sending so called "challenges" waiting for SIM replies with parts of encryption key, for later Ki calculation.

7. Real GSM Location Spoofing. The phone user can choose which cell tower the phone is connected to. This way, any triangulation technique used for location tracking purposes will generate wrong results which leads to false location. For easy of use, Optimal location spoofing should be enabled: the phone will always connect to the farthest cell tower, no matter if stationary or on the move

8. Channel Lock. The user can lock ARFCN (uplink and downlink - the radio channels pair that cell tower communicate with the cell phone and vice versa) in order to block any forced handover (forcing mobile phone to quietly disconnect from home network and connect to a fake cell tower impersonated by a GSM Interceptor

9. C2 Monitoring. The phone will monitor C2 parameter (cell re-selection criterion), which is used by IMSI Catchers/GSM Interceptors in order to force cell phone connection. Will also look for neighbor cell towers identity. In case the phone is connected to a GSM Interceptor, no cell towers will be shown as neighbor towers.

11. Sandbox. A separate secure partition where IMEI engine, IMSI engine and other security related software components run smoothly, out of any interference and tampering possibilities. The user can check at any time the integrity of Sandbox and its components.

12. Network Scan. A live network monitoring tool, looking for IMSI Catchers/GSM Interceptors, SS7 based interception and other network anomalies. A real time interception detection function is also available. No false positives due to intelligent scanning mode.

NOTE: This function is not available for XStealth Lite.

13. LAC Change Detector. This is the Proximity Alert Function. The phone will detect any abnormal LAC (Location Area Code) when stationary, changes made only by IMSI Catchers/GSM Interceptors in order to force connection

All data regarding mobile network - including LAC changes - is saved in a text document.

14. Microphone Lock. User can lock the microphone at any time, preventing remote activation and listen in on the environment.

15. Camera Lock. User can lock the camera at any time, preventing remote activation for spy pictures/movies

16. On Screen Functions

For easy of use, main monitoring and warning functions are displayed also on the home screen. Since main home screen looks anonymous and like any other smartphone, by a simple screen swipe all monitoring functions will pop up on the screen.

Call workflow
Every time when user is making a call, the phone will check for standard GSM network encryption (A5/1) detecting if the call is intercepted off air (by a GSM Interceptor) or at network switch level (SS7), by pinging the network core. In case of call interception, the phone will display a visual alert.

There are also default applications installed on the phone:
 - Proton Mail
 - Proton VPN
 - Tutanota client
 - Telegram X
 - Hotmail client
 - Yahoo client
 - Microsoft Outlook client
 - PayPal client
 - Facebook lite client
 - Messenger client
 - Fire Onion
 - Orbot
 - Tor
 - Orfox
 - Anti-theft security & alarm
 - Security Lock
 - Secret Photo Video Locker
 - Open Signal -  a comprehensive cell tower locator
 - Burner: temporary disposable phone numbers