As smartphone users have become more aware that fake cell phone towers, known as IMSI catchers or stingrays, can spy on them, developers have rushed to offer apps that detect when your phone connects to one. Unfortunately, it seems, those tools aren't as effective as they claim. Watching the watchers turns out to be a complicated business.

Researchers from Oxford University and the Technical University of Berlin today plan to present the results of a study of five stingray-detection apps. The results aren't encouraging. In fact, they found they could fully circumvent each one, allowing the researchers to trick the phones into handing over their sensitive data.

To skirt some of the detection apps, the spy would need to know the unique IMSI identifier of the target's phone ahead of time, perhaps by using an IMSI catcher on the victim earlier or obtaining it from their carrier via a legal order. But for two of the most popular detector apps, someone could just as easily use a stingray to steal that IMSI identifier and start tracking and wiretapping them from the first time they targeted them, without raising any warning from the person's stingray-monitoring app.

"People have the sense that IMSI-catcher detection apps can protect you against tracking," says Ravishankar Borgaonkar, the lead researcher on the study, which his co-authors are presenting at the Usenix Workshop on Offensive Technologies. "This research demonstrates that these apps fail to detect IMSI catchers and lack fundamental technical capabilities. And it highlights the problems in building such privacy protection apps for everybody."

Spy vs Spy

In their experiments, the Oxford and Berlin researchers tested Android apps SnoopSnitch, Cell Spy Catcher, GSM Spy Finder, Darshak, and AIMSICD---the first three of which have each been downloaded between a hundred thousand and a half million times, according to the Google Play store's stats. (Borgaonkar himself is the co-creator of the Darshak app, which he launched back in 2014.) All of those apps were designed to send alerts when they detect that a phone has connected to a rogue cell tower that could eavesdrop on its calls and data, or steal the IMSI—international mobile subscriber identity, a number uniquely assigned to each phone on a GSM network—that would allow it to track the owner's location.

Actual stingray devices like those sold by companies Harris and BAE Systems, cost thousands of dollars, and are notoriously difficult to obtain outside of government agencies. Instead, the researchers built their own surveillance setup for their tests. Called White-Stingray, the system uses only a PC and a software-defined radio, which allows it to receive and transmit a wide and highly adaptable range of radio frequencies. (Their setup only tested IMSI catchers that work by downgrading phones' communications to 2G signals, since most of the detection apps focused on that generation of IMSI catcher. More recent models, Borgaonkar says, intercept 3G and 4G signals, making them even harder for apps to detect.)

The team set up their makeshift stingray in a room-sized Faraday cage, to prevent it from accidentally intercepting the phone signals of anyone outside the room. Upon pitting each app against their surveillance tool, they found that each one looked for clues of only a few of the techniques a fake cell tower system might use to track or tap a phone. The apps could detect some hints that the phone was under stingray surveillance. They alerted the user, for instance, when White-Stingray downgraded the phone’s connection to a 2G signal to exploit the older protocol’s weaker security, as well as when it established an connection between the "cell tower" and the phone that lacked encryption. They could also tell when the stingray sent “silent” text messages, which ping the phone to determine its presence without displaying anything to the user, and that the fake tower didn’t exist on previous cell tower maps.