SmartScan — Pegasus, Predator & Graphite Detection via Network Forensics

Detect Pegasus, Predator, Graphite, Candiru and 87+ commercial spyware families — directly from your device. No root. No MDM. No filesystem access. Just network truth.

12Analysis engines 87+Spyware families <15mFull scan 0Root required

Available as an integrated feature of QuantorPhone (SMAQ) or as a standalone SDK for qualified government and enterprise partners.

Product

SmartScan is a full-stack forensic analysis platform that runs entirely from the Android device. Scan, detect, and report — all through a single, intuitive interface.

Specifications

Analysis Engines

IDS engine, network monitor, TLS/JA4, DNS, IP reputation, GeoIP, behavioral, covert channel, certificate, entropy, protocol, cross-engine correlator

138

MITRE ATT&CK Mappings

Full coverage across T1071, T1095, T1573, T1008, T1041, T1568 and more — mapped to Mobile ATT&CK v18.1

Scan Modes

Manual on-demand, Cold Boot automatic, and Stealth (Paranoid) post-seizure scan for maximum threat coverage

E2E

Encrypted Pipeline

Encrypted VPN tunnel (ChaCha20-Poly1305), AES-256-GCM at rest, TLS 1.3 for API, zero third-party data leakage

Dependencies

No root, no MDM, no filesystem access, no content decryption — pure network metadata analysis

SOV

Sovereign Infrastructure

Dedicated on-premise deployment. No third-party cloud, AI or analytics services. Fully self-contained under client operational control

Three Scan Modes

Manual Scan

Trigger: User-initiated via UI button.

Duration: 60–600 seconds (configurable).

Use case: On-demand forensic audit before sensitive meetings, after traveling to high-risk jurisdictions, or as periodic security hygiene.

Cold Boot Scan

Trigger: Automatic on BOOT_COMPLETED.

Duration: 600 seconds (configurable).

Use case: Captures traffic during the critical first minutes after boot when persistent implants re-establish C2 connections.

Stealth Scan (Paranoid Mode)

Trigger: Armed → device off 24–48h → first boot.

Duration: 600 seconds (non-configurable).

Use case: Post-seizure verification — catches implants installed during physical access that beacon on first connectivity.

NATO STANAG Compatible

WHY NATO COMPLIANCE MATTERS

SmartScan is designed to operate within NATO STANAG 4774/4778 communication security frameworks
Forensic chain of custody ensures evidence integrity for allied intelligence review
All data processing on sovereign infrastructure — full operational control, no third-party exposure
Aligns with NATO CCDCOE (Tallinn) cyber defence operational standards
Compatible with ASD C3 Taxonomy for threat classification interoperability

Compliance Framework

Standard	Scope	SmartScan Coverage
NATO STANAG 4774	Confidence metadata for intelligence products	Per-alert confidence scoring with engine attribution; multi-engine correlation produces weighted confidence levels
NATO STANAG 4778	Metadata binding for information sharing	STIX 2.1 export with metadata binding for NATO-compatible intelligence platforms
NIST SP 800-86	Guide to integrating forensic techniques into incident response	Full forensic pipeline: capture → preserve → analyze → report with cryptographic hash provenance at every step
EU NIS2 Directive	Network and information systems security for essential entities	Sovereign deployment model, GDPR Art. 32 encryption, automated incident detection and reporting
MITRE ATT&CK Mobile v18.1	Adversary tactic and technique knowledge base	138 technique mappings across 12 engines; machine-readable TTP correlation for SOC integration
NATO CCDCOE	Cooperative Cyber Defence Centre of Excellence (Tallinn)	Operational methodology aligned with CCDCOE published best practices for mobile device forensic examination

Why NATO Standards for Mobile Forensics?

NATO member states and partner organizations increasingly require their communication security tools to meet interoperability and forensic integrity standards originally designed for military intelligence. SmartScan meets these requirements because:

Chain of custody — Every scan produces a cryptographic provenance chain: device ID → scan timestamp → PCAP SHA-256 hash → per-engine output → final report hash. This chain is legally admissible and meets the evidentiary standards required by NATO military courts and allied judicial systems.
No third-party data leakage — Analysis runs entirely on Secure Path infrastructure. No PCAP data, no metadata, no results ever leave the analysis server to external cloud APIs, AI services, or third-party threat intelligence platforms. This satisfies NATO INFOSEC requirements for classified-adjacent data handling.
Encryption at every layer — Encrypted VPN (ChaCha20-Poly1305) for transport, AES-256-GCM for storage at rest, TLS 1.3 for API communication, RS256 JWT for authentication. All cryptographic primitives align with FIPS 140-2 and NSA Suite B requirements.
Sovereign infrastructure — Dedicated deployment under client operational control (on-premise or EU-jurisdiction dedicated hardware with full-disk encryption and no shared tenancy). No data processed or stored by third parties. On-premise deployment available as standard path for government clients requiring full sovereignty.
Interoperable threat intelligence — Reports can be exported in STIX 2.1 format with full MITRE ATT&CK TTP mappings, enabling direct ingestion into NATO-compatible SIEM/SOAR platforms (Splunk, Elastic, OpenCTI, MISP).

Procurement note: SmartScan is available via direct commercial licensing from Secure Path LTD (UK). NATO certification documentation and NSPA procurement references are available to qualified government entities upon request. Contact ac@securepath.biz for security accreditation packages and pricing.

Threat Landscape

Commercial spyware platforms used by state actors follow a predictable operational pattern:

Delivery — Zero-click exploits via messaging apps, network injection (MITM at carrier level), or physical access during device seizure.
Implant persistence — Kernel-level or application-level persistence depending on platform capability and target OS version.
Command & Control (C2) — The implant establishes periodic beacons to C2 infrastructure, typically disguised within legitimate protocol traffic (HTTPS to cloud providers, WebSocket over CDN, DNS over HTTPS).
Data exfiltration — Captured data (messages, calls, location, camera, microphone) is uploaded in compressed, encrypted chunks to staging servers, often through multiple proxy layers.

Key insight: While zero-click delivery is invisible to the user, the C2 communication and exfiltration phases always generate network traffic that can be detected through behavioral analysis, protocol fingerprinting, and destination intelligence — even when payloads are encrypted. This is SmartScan's detection surface.

Detection Patterns (Generic — No IOCs)

Pattern	What it reveals	Engine(s)
High-entropy payloads to low-reputation ASNs	Encrypted exfiltration to non-standard infrastructure	Entropy, IP Reputation, GeoIP
TLS ClientHello fingerprint anomalies (JA3/JA4)	Non-browser TLS stacks used by implant libraries	TLS Fingerprinting
DNS queries with high subdomain entropy	DGA-based C2 resolution or DNS tunneling	DNS Analysis
Periodic beaconing with fixed intervals (±jitter)	Automated C2 heartbeat pattern	Behavioral, IDS
Certificate chain anomalies (self-signed, short-lived, wildcard)	Rogue TLS infrastructure for interception or C2	Certificate Validation
Protocol-port mismatch (e.g., non-HTTP on 80/443)	Tunnel protocol abuse for C2 channel hiding	Protocol Analysis
Large asymmetric upload bursts	Bulk data exfiltration sessions	Behavioral, Covert Channel
Connections to jurisdictions inconsistent with user profile	C2 infrastructure geolocation anomaly	GeoIP Analysis

Capture & Analysis Pipeline

SmartScan operates as a network-level forensic tool. The full pipeline runs without any access to the device filesystem, application sandbox, or OS internals:

Pipeline Steps

Authentication — Device authenticates via Auth0 Device Authorization Grant (RFC 8628). No passwords stored on device; token refreshed per-session.
Tunnel establishment — Encrypted VPN creates a full-tunnel route (0.0.0.0/0) using Curve25519 key exchange and ChaCha20-Poly1305 encryption.
Traffic capture — Server-side capture on the VPN interface for the configured duration (60–600 seconds). PCAP is stored with AES-256 at rest.
Parallel analysis — 12 engines process the PCAP simultaneously. Each engine produces an independent alert set with severity classification.
Cross-engine correlation — Aggregates alerts across all engines, de-duplicates, and applies weighted scoring for a unified threat assessment.
Report generation — Forensic report compiled with severity-classified alerts (HIGH / MODERATE / LOW), executive summary, and per-engine detail.
Secure delivery — Report delivered to device via HTTPS with TLS certificate pinning (SHA-256). View in-app or export as PDF.

Privacy by design: SmartScan never decrypts application-layer traffic. Analysis operates on metadata, flow characteristics, protocol fingerprints, and destination intelligence. The PCAP contains encrypted payloads only — SmartScan cannot and does not read message content, calls, or media.

12-Engine Analysis Matrix

Each engine operates independently and produces its own alert set. The cross-engine correlator fuses results for final severity scoring.

Severity Classification

HIGH Confirmed spyware pattern or multi-engine correlation above threshold. Immediate investigation recommended.
MODERATE Suspicious behavior detected by 2+ engines. Review within 24h.
LOW Single-engine anomaly or informational finding. Logged for baseline comparison.

Engine Technology Stack

Intrusion Detection Engine

Signature-based detection with Emerging Threats Open plus custom commercial spyware rules. Multi-threaded PCAP processing with full protocol reassembly. Structured alerts with classification, severity, and flow metadata.

Network Traffic Monitor

Protocol-level analysis: connection logs, DNS logs, SSL logs, HTTP logs, file extraction. Custom scripts detect anomalous session patterns, unusual port usage, and covert channel indicators.

TLS/JA4 Fingerprinting

JA3, JA4, JA4H, and JARM fingerprints from every TLS handshake. Correlates against known malware family fingerprints. Detects non-standard TLS stacks deviating from expected browser/OS profiles.

DNS Threat Analysis

Shannon entropy scoring on queried domains. Detects DGA patterns, DNS tunneling, fast-flux networks, and resolution to known sinkhole infrastructure.

IP Reputation & GeoIP

Multi-feed threat intelligence for destination IPs. ASN and CIDR-level reputation scoring. MaxMind GeoIP2 for jurisdictional risk. Flags connections to sanctioned regions and known spyware hosting providers.

Behavioral & Covert Channel

Statistical profiling of traffic timing and volume. Detects periodic beaconing, asymmetric burst patterns, and protocol abuse (ICMP tunneling, HTTP header channels, DNS covert channels).

Certificate Chain Validation

Full X.509 chain walk. Detects self-signed certs, expired/revoked certificates, wildcard abuse, and CAs not in the platform trust store. Cross-references Certificate Transparency logs.

Payload Entropy Analysis

Shannon entropy on TCP/UDP payloads. High-entropy streams to non-standard ports indicate custom encryption channels. Chunked stream analysis detects staged exfiltration mimicking normal traffic.

Stealth Scan — Technical Deep Dive

The Stealth Scan mode addresses the most sophisticated physical-access threat scenario. Its design accounts for Android platform restrictions introduced in API 31+ (Android 12):

Why 24–48 hours off? This window is calibrated to the operational pattern of physical-access implant deployment. Intelligence-grade spyware installers require physical access time. The 24–48h window ensures the device has been off long enough for a realistic attack scenario. Upon first boot, any newly installed implant will immediately attempt C2 communication — SmartScan captures this exact window.

Security Architecture

Transport Security

Layer	Protocol	Cipher	Purpose
Device ↔ Server	Encrypted VPN	ChaCha20-Poly1305, Curve25519	Full-tunnel capture pipe
API calls	HTTPS/TLS 1.3	AES-256-GCM, ECDHE P-256	Scan control, report delivery
Certificate pinning	SHA-256 pin	—	Prevents MITM on API channel
Authentication	OAuth 2.0 Device Grant	RS256 JWT	No passwords on device
Storage at rest	AES-256-GCM	—	PCAP and reports encrypted

Data Handling

No application-layer decryption — SmartScan analyzes metadata, flow characteristics, and protocol fingerprints. Encrypted payloads remain encrypted.
PCAP retention — Server-side PCAPs are encrypted with AES-256 and automatically purged after report delivery (configurable retention for compliance).
No cloud dependency — Analysis runs entirely on Secure Path infrastructure. No data leaves the server to third-party cloud APIs, AI services, or external platforms.
Audit trail — Device ID → scan timestamp → PCAP hash → engine outputs → report hash. Full forensic provenance for legal proceedings.

Validated Detection Capabilities

SmartScan has been validated against the following commercial spyware classes (IOC-specific details available under NDA at TLP:AMBER):

Threat Class	Vendor/Family	Detection Surface	SmartScan Engines
HIGH	Pegasus-class (zero-click)	C2 beaconing, certificate anomalies, JA3 divergence, high-entropy upload bursts	IDS, TLS/JA4, Behavioral, Entropy, Certificate
HIGH	Predator-class (Intellexa)	Multi-hop C2 via CDN, DNS anomalies, non-standard TLS, geographic dispersion	DNS, TLS/JA4, GeoIP, IP Reputation, Protocol
HIGH	Graphite-class (network injection)	Anomalous messaging flows, protocol-port mismatches, certificate chain issues, large exfiltration	Protocol, Certificate, Behavioral, Covert Channel, Entropy
MODERATE	Government forensic tools (UFED-class)	Post-extraction callback beacons, telemetry uploads, atypical DNS after physical access	DNS, Behavioral, IP Reputation
MODERATE	Stalkerware / commercial RATs	Persistent HTTP/HTTPS polling, weak C2 encryption, known RAT signatures	IDS, Protocol, TLS/JA4

IOC Classification: Specific indicators of compromise are classified TLP:AMBER and shared only under NDA with qualified partners and law enforcement. Contact ac@securepath.biz (PGP encrypted) for access.

Deployment Architecture

Server Infrastructure

Dedicated server — On-premise or private cloud with full-disk encryption and hardware RAID. Deployed under client sovereignty.
OS hardened — Rocky Linux with CIS Level 2 baseline, SELinux enforcing, automated patching.
Network isolation — VPN interface isolated from management plane. Engines run in dedicated namespaces.
Monitoring — Prometheus + Grafana with alerting on scan failures, engine timeouts, and anomalous traffic.

Request SmartScan Access

SmartScan is available as an integrated feature of QuantorPhone or as a standalone SDK for qualified government and enterprise partners. For IOC briefings (TLP:AMBER), NATO STANAG documentation, integration guides, and commercial terms:

General enquiries: info@securepath.biz
Secure channel (PGP): ac@securepath.biz — Download PGP public key
Fingerprint: 85CE 91EA FF45 527B 5ABA A295 38DA 1D77 501B 1902
Company: Secure Path LTD — Registered office: 41 Devonshire Street, London W1G 7AJ, United Kingdom. Operations: distributed.