SmartScan — Mobile Network Forensic Analysis
Real-time detection of state-level mobile threats. SmartScan captures all device network traffic through a secure WireGuard tunnel and processes it with a 12-engine analysis pipeline to identify spyware command-and-control beacons, data exfiltration channels, and covert surveillance infrastructure — all without requiring device root, MDM enrollment, or filesystem access.
SmartScan is designed for law enforcement forensic units, counter-intelligence teams, diplomatic security services, and any organization that needs to verify device integrity against commercial spyware such as Pegasus (NSO Group), Predator (Intellexa/Cytrox), and Graphite (Paragon Solutions). Classification: TLP:GREEN for this page — no IOC data is disclosed. Specific indicators are shared only under NDA at TLP:AMBER.
Threat Landscape
Commercial spyware platforms used by state actors follow a predictable operational pattern:
- Delivery — Zero-click exploits via messaging apps, network injection (MITM at carrier level), or physical access during device seizure.
- Implant persistence — Kernel-level or application-level persistence depending on platform capability and target OS version.
- Command & Control (C2) — The implant establishes periodic beacons to C2 infrastructure, typically disguised within legitimate protocol traffic (HTTPS to cloud providers, WebSocket over CDN, DNS over HTTPS).
- Data exfiltration — Captured data (messages, calls, location, camera, microphone) is uploaded in compressed, encrypted chunks to staging servers, often through multiple proxy layers.
Detection Patterns (Generic — No IOCs)
SmartScan engines detect the following behavioral patterns without relying on specific IOC signatures:
| Pattern | What it reveals | Engine(s) |
|---|---|---|
| High-entropy payloads to low-reputation ASNs | Encrypted exfiltration to non-standard infrastructure | Entropy, IP Reputation, GeoIP |
| TLS ClientHello fingerprint anomalies (JA3/JA4) | Non-browser TLS stacks used by implant libraries | TLS Fingerprinting |
| DNS queries with high subdomain entropy | DGA-based C2 resolution or DNS tunneling | DNS Analysis |
| Periodic beaconing with fixed intervals (±jitter) | Automated C2 heartbeat pattern | Behavioral, Suricata |
| Certificate chain anomalies (self-signed, short-lived, wildcard) | Rogue TLS infrastructure for interception or C2 | Certificate Validation |
| Protocol-port mismatch (e.g., non-HTTP on 80/443) | Tunnel protocol abuse for C2 channel hiding | Protocol Analysis |
| Large asymmetric upload bursts | Bulk data exfiltration sessions | Behavioral, Covert Channel |
| Connections to jurisdictions inconsistent with user profile | C2 infrastructure geolocation anomaly | GeoIP Analysis |
Capture & Analysis Pipeline
SmartScan operates as a network-level forensic tool. The full pipeline runs without any access to the device filesystem, application sandbox, or OS internals:
Pipeline Steps
- Authentication — Device authenticates via Auth0 Device Authorization Grant (RFC 8628). No passwords stored on device; token refreshed per-session. Server validates JWT signature, audience, and expiry.
- Tunnel establishment — WireGuard GoBackend creates a full-tunnel VPN (0.0.0.0/0 route) using Curve25519 key exchange and ChaCha20-Poly1305 encryption. All device traffic routes through the analysis server.
- Traffic capture — Server-side tcpdump captures all traffic on the WireGuard interface (wg0) for the configured duration (60–600 seconds). PCAP is stored server-side with AES-256 at rest.
- Parallel analysis — 12 engines process the PCAP simultaneously. Each engine produces an independent alert set with severity classification.
- Cross-engine correlation — The correlation engine aggregates alerts across all engines, de-duplicates, and applies weighted scoring to produce a unified threat assessment.
- Report generation — Forensic report is compiled with severity-classified alerts (HIGH / MODERATE / LOW), executive summary, and per-engine detail sections.
- Secure delivery — Report is delivered to the device via HTTPS with TLS certificate pinning (SHA-256). Report can be viewed in-app or exported as PDF.
12-Engine Analysis Matrix
Each engine operates independently and produces its own alert set. The cross-engine correlator then fuses results for final severity scoring.
Severity Classification
HIGH Confirmed spyware pattern match or multi-engine correlation above threshold. Immediate investigation recommended.
MODERATE Suspicious behavior detected by 2+ engines. Review recommended within 24h.
LOW Single-engine anomaly or informational finding. Logged for baseline comparison.
Engine Technology Stack
Suricata 8.0 IDS
Signature-based detection with Emerging Threats Open ruleset plus custom rules for commercial spyware patterns. Multi-threaded PCAP processing with full protocol reassembly. Produces EVE JSON alerts with classification, severity, and flow metadata.
Zeek 8.0 Network Monitor
Protocol-level analysis producing structured connection logs, DNS logs, SSL logs, HTTP logs, and file extraction metadata. Custom Zeek scripts detect anomalous session patterns, unusual port usage, and covert channel indicators.
TLS/JA4 Fingerprinting
Extracts JA3, JA4, JA4H, and JARM fingerprints from every TLS handshake. Correlates against known fingerprint databases for malware families. Detects non-standard TLS stacks that deviate from expected browser/OS profiles.
DNS Threat Analysis
Frequency analysis and Shannon entropy scoring on queried domains. Detects DGA patterns, DNS tunneling (unusual TXT/CNAME record sizes), fast-flux networks, and resolution to known sinkhole infrastructure.
IP Reputation & GeoIP
Multi-feed threat intelligence correlation for destination IPs. ASN mapping and CIDR-level reputation scoring. MaxMind GeoIP2 for jurisdictional risk assessment. Flags connections to sanctioned regions and known hosting providers used by commercial spyware operators.
Behavioral & Covert Channel
Statistical profiling of traffic volume, timing, and upload/download ratios. Detects periodic beaconing (fixed interval ± jitter), asymmetric burst patterns consistent with exfiltration, and protocol abuse (ICMP tunneling, HTTP header channels, DNS covert channels).
Certificate Chain Validation
Full X.509 chain walk on every TLS connection. Detects: self-signed certs on standard ports, expired certificates, revoked certificates, wildcard abuse, and certificates issued by CAs not in the platform trust store. Cross-references Certificate Transparency logs where available.
Payload Entropy Analysis
Shannon entropy scoring on TCP/UDP payloads. High-entropy streams to non-standard ports indicate custom encryption channels outside normal TLS. Chunked stream analysis detects staged exfiltration that mimics normal traffic patterns.
Three Scan Modes
SmartScan supports three operational modes designed for different threat scenarios and operational contexts:
Manual Scan
Trigger: User-initiated via UI button.
Duration: 60–600 seconds (configurable).
Use case: On-demand forensic audit — verify device integrity before sensitive meetings, after traveling to high-risk jurisdictions, or as part of periodic security hygiene.
Operation: User taps "Start Scan" → WireGuard tunnel activates → server captures → engines analyze → report delivered to device.
Cold Boot Scan
Trigger: Automatic on BOOT_COMPLETED broadcast.
Duration: 300 seconds (configurable).
Use case: Continuous monitoring — captures traffic during the critical first minutes after boot when persistent implants re-establish C2 connections. Runs automatically without user interaction.
Operation: Device boots → BroadcastReceiver fires → WireGuard tunnel activated → scan runs in background → notification shows results.
Stealth Scan (Paranoid Mode)
Trigger: Armed by user → device powered off 24–48h → first boot.
Duration: 300 seconds (non-configurable).
Use case: Post-seizure verification — when a device has been confiscated, left unattended, or returned after physical access by an adversary. Designed to catch implants installed during the off period that beacon on first connectivity.
Threat model: Border crossing interception, hotel/TSCM scenarios, device return after law enforcement seizure, forensic laboratory analysis.
Stealth Scan — Technical Deep Dive
The Stealth Scan mode addresses the most sophisticated physical-access threat scenario. Its design accounts for Android platform restrictions introduced in API 31+ (Android 12):
Implementation Details
| Component | Implementation | Why |
|---|---|---|
| Arm persistence | SharedPreferences with stealth_armed=true | Survives reboot; no database dependency |
| Boot receiver | BOOT_COMPLETED BroadcastReceiver | Fires on every cold boot; checks stealth flag |
| Foreground launch | setFullScreenIntent() notification | Android 12+ blocks background startActivity(); full-screen intent is the compliant path |
| PIN lock handling | pending_stealth_ui SharedPreferences flag | If PIN lock screen appears before our Activity, we persist intent and navigate after unlock |
| Tunnel wait loop | 5-second polling with 60s timeout | WireGuard GoBackend takes variable time; scan must not start before tunnel is confirmed UP |
| Post-scan cleanup | Clear all stealth flags after report received | Prevents re-trigger on next boot |
Security Architecture
Transport Security
| Layer | Protocol | Cipher | Purpose |
|---|---|---|---|
| Device ↔ Server | WireGuard | ChaCha20-Poly1305, Curve25519 | Full-tunnel capture pipe |
| API calls | HTTPS/TLS 1.3 | AES-256-GCM, ECDHE P-256 | Scan control, report delivery |
| Certificate pinning | SHA-256 pin | — | Prevents MITM on API channel |
| Authentication | OAuth 2.0 Device Grant | RS256 JWT | No passwords on device |
| Storage at rest | AES-256-GCM | — | PCAP and reports encrypted server-side |
Data Handling
- No application-layer decryption — SmartScan analyzes metadata, flow characteristics, and protocol fingerprints. Encrypted payloads remain encrypted.
- PCAP retention — Server-side PCAPs are encrypted at rest with AES-256 and automatically purged after report delivery (configurable retention for compliance).
- No cloud dependency — Analysis runs entirely on Secure Path infrastructure. No data leaves the server to third-party cloud APIs, AI services, or external threat intelligence platforms during analysis.
- Audit trail — Every scan produces a cryptographic chain: device ID → scan timestamp → PCAP hash → engine outputs → report hash. Full forensic provenance for legal proceedings.
Validated Detection Capabilities
SmartScan has been validated against the following commercial spyware classes (IOC-specific details available under NDA at TLP:AMBER):
| Threat Class | Vendor/Family | Detection Surface | SmartScan Engines |
|---|---|---|---|
| HIGH | Pegasus-class (zero-click) | C2 beaconing over HTTPS, certificate anomalies, JA3 fingerprint divergence from OS default, high-entropy upload bursts | Suricata, TLS/JA4, Behavioral, Entropy, Certificate |
| HIGH | Predator-class (Intellexa) | Multi-hop C2 via CDN overlay, DNS resolution anomalies, non-standard TLS stacks, geographic dispersion of C2 nodes | DNS, TLS/JA4, GeoIP, IP Reputation, Protocol |
| HIGH | Graphite-class (network injection) | Anomalous connections during messaging-app flows, protocol-port mismatches, certificate chain inconsistencies, large data exfiltration sessions | Protocol, Certificate, Behavioral, Covert Channel, Entropy |
| MODERATE | Government forensic tools (UFED-class) | Post-extraction callback beacons, telemetry upload patterns, atypical DNS query patterns after physical access | DNS, Behavioral, IP Reputation |
| MODERATE | Stalkerware / commercial RATs | Persistent HTTP/HTTPS polling, unencrypted or weakly encrypted C2, known RAT protocol signatures | Suricata, Protocol, TLS/JA4 |
Deployment Architecture
Server Infrastructure
- Dedicated server — Hetzner EX-series (Finland, EU jurisdiction) with full-disk encryption and hardware RAID.
- OS hardened — Rocky Linux with CIS Level 2 benchmark baseline, SELinux enforcing, automated patch management.
- Network isolation — WireGuard interface (wg0) isolated from management plane. Analysis engines run in dedicated namespaces.
- Monitoring — Prometheus + Grafana with alerting on scan failures, engine timeouts, and anomalous traffic patterns.
Client Integration
- Android native — Integrated into QuantorPhone (SMAQ) as a first-class feature. Kotlin, WireGuard GoBackend, Material Design 3 UI.
- SDK available — SmartScan SDK can be integrated into third-party secure communication platforms. REST API + WireGuard tunnel library.
- React Native bridge — NativeModule wrapper available for React Native-based secure messaging apps.
- Minimum requirements — Android 9+ (API 28), no root, no MDM, 15 MB storage, standard network connectivity.
Compliance & Forensic Standards
- Chain of custody — Cryptographic hash chain from device to report ensures forensic integrity for legal proceedings.
- GDPR Article 32 — Encryption at rest and in transit, automated data minimization, configurable retention policies.
- ePrivacy compliant — No content interception; metadata-only analysis.
- NATO STANAG compatible — Designed for deployment within NATO partner communication security frameworks.
- Law enforcement ready — Reports structured for inclusion in criminal proceedings. Per-alert evidence chain with engine attribution and confidence scoring.
Request SmartScan Access
SmartScan is available as an integrated feature of QuantorPhone or as a standalone SDK for qualified partners. For IOC briefings (TLP:AMBER), integration documentation, and commercial terms, contact our security team.
General enquiries: info@securepath.biz
Secure channel (PGP): ac@securepath.biz — Download PGP public key
Fingerprint: 85CE 91EA FF45 527B 5ABA A295 38DA 1D77 501B 1902
Company: Secure Path LTD — 41 Devonshire Street, London W1G 7AJ, United Kingdom