Covert surveillance campaigns abused SS7, Diameter, and SIMjacker-style SMS to track phones
Citizen Lab reported two covert surveillance campaigns that exploited weaknesses in global mobile signalling infrastructure to track targets’ locations across borders. The operations, labeled STA1 and STA2, abused legacy SS7 and newer Diameter protocols, with one campaign also using SIMjacker-style zero-click binary SMS and malicious SIM Toolkit commands to try to turn a handset into a covert beacon. Researchers said the activity marks the first time real-world attack traffic has been directly linked to mobile operator signalling systems, showing attackers impersonating operators, rotating identities across countries, manipulating routing paths, and evading signalling firewalls while exploiting weak authentication and trusted telecom interconnect relationships.
The campaigns were observed using operator identifiers and infrastructure tied to networks in Europe, Africa, the Middle East, and Asia, including telecoms cited as transit or entry points such as 019Mobile, Tango Networks U.K., and Airtel Jersey. Citizen Lab said the activity is consistent with commercial surveillance platforms serving government intelligence customers, and one campaign may have links to an Israeli geo-intelligence provider, though no vendor or operator was conclusively attributed. The researchers warned that abuse of leased or intermediary signalling access, combined with long-standing flaws in roaming trust models, has enabled large volumes of hard-to-detect location tracking that may persist for years across 3G, 4G, and 5G-connected environments.
Timeline
Apr 23, 2026
Researchers suggest possible Israeli commercial surveillance link
Following publication of the research, Citizen Lab and media reports said routing evidence and other clues suggested one campaign may be tied to an Israeli-based commercial geo-intelligence or surveillance company. The researchers did not name a vendor and said the evidence was not sufficient for definitive attribution.
Apr 23, 2026
Citizen Lab publishes report on two covert telecom surveillance campaigns
Citizen Lab publicly disclosed its investigation into two surveillance actors, STA1 and STA2, saying it had linked real-world attack traffic to mobile operator signalling infrastructure for the first time. The report said the campaigns were consistent with commercial surveillance platforms supporting state intelligence customers, but stopped short of naming a specific vendor or government.
Feb 1, 2025
STA2 launches SIMjacker-style telecom surveillance campaign
In February 2025, Citizen Lab observed STA2 combine SS7 probing, a zero-click binary SMS, malicious SIM Toolkit commands, and Diameter queries in an attempt to turn a target phone into a covert location beacon. The campaign showed abuse of both legacy and newer mobile network signalling protocols.
Nov 1, 2024
STA1 conducts SS7 and Diameter tracking campaign against Middle East subscriber
In November 2024, Citizen Lab observed threat actor STA1 carry out a multi-stage location-tracking operation targeting a high-profile subscriber in the Middle East. The actor switched between SS7 and Diameter, rotated operator identities across countries, and manipulated routing paths to evade signalling firewalls.
Jan 1, 2022
Telecom surveillance activity shows multi-year persistence from 2022
Citizen Lab reported telemetry indicating covert abuse of mobile signalling infrastructure had persisted for multiple years, with related operator identifiers and infrastructure appearing from 2022 onward across numerous countries. The activity suggested long-running exploitation of SS7 and Diameter trust relationships in the telecom ecosystem.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Sources
2 more from sources like techcrunch com security and the record media
Related Stories
Fake CAPTCHA SMS Fraud and SMS Blaster Smishing Target Mobile Users
Infoblox researchers reported a long-running **International Revenue Share Fraud (IRSF)** campaign that uses fake CAPTCHA pages to trick mobile users into sending premium-rate international text messages. Victims are funneled through typosquatted telecom-themed domains, ad-network redirects, and **Traffic Distribution System (TDS)** infrastructure to scam landing pages that present bogus verification steps. Those prompts trigger JavaScript that opens the phone’s SMS app with pre-filled messages and dozens of international numbers, and a single four-step interaction can generate about **60 SMS messages to more than 50 destinations**, costing roughly **$30 or more** per session. Researchers said the operation has been active since at least 2020, uses high-fee destinations including **Azerbaijan, Egypt, and Myanmar**, and has been linked to an affiliate of a European **Click2SMS** network using infrastructure hosted on **AS15699, Adam Ecotech**. Separately, Toronto police arrested three men in what authorities described as Canada’s first criminal case involving a mobile **SMS blaster**, a rogue device that impersonates a cellular tower to push phishing texts and disrupt legitimate service. Investigators said the devices were tracked across the Greater Toronto Area after one was detected in downtown Toronto, and police seized multiple SMS blasters and related equipment. Authorities believe **tens of thousands of phones** connected to the rogue system, contributing to more than **13 million network disruptions** that may have interfered with normal mobile access and even emergency services such as **911**. The cases highlight how attackers are abusing both web lures and fake base-station hardware to scale **smishing** and mobile billing fraud.
5 days ago
SMS-Based Authentication and Phishing Risks via Intercepted or Mass-Sent Text Links
Recent research highlighted systemic security and privacy risks created by **sign-in/authentication links delivered over SMS**, showing how easily such links and embedded personal data can be exposed and abused at scale. By observing public SMS gateway services (temporary numbers used to receive texts), researchers collected **332,000 unique SMS-delivered URLs** extracted from **33 million texts** sent to **30,000+ phone numbers**, and reported that messages from **701 endpoints** on behalf of **177 services** exposed *critical PII*. The work underscores that SMS is unencrypted and that authentication links and sensitive details can persist in accessible stores or be captured through weakly protected SMS delivery ecosystems. Greek police separately dismantled a criminal operation in the Athens area that used a **rogue mobile base station** (an “**SMS blaster**”) concealed in a car to push phishing texts to nearby phones. Authorities said the device coerced phones to connect and **downgraded them from 4G to 2G**, enabling collection of identifiers (e.g., phone numbers) and delivery of scam messages impersonating banks and courier firms with **phishing links** used to steal payment card data and conduct unauthorized transactions; investigators have tied the group to at least three fraud cases and indicated the suspects may be Chinese nationals. Together, the reporting and research illustrate how SMS-delivered links can be exploited both through passive exposure of messages/URLs and through active, proximity-based telecom impersonation to distribute credential- and payment-theft lures.
1 months ago
Android Mobile Malware Campaigns Targeting SMS/OTP and Identity Data
Multiple reports highlight evolving **Android** threats that abuse SMS/telephony access and advanced evasion to enable fraud, surveillance, and account takeover. CloudSEK described a shift from repackaged apps to **runtime manipulation** using the *LSPosed* framework, where a malicious module (e.g., **Digital Lutera**) hooks `SmsManager` and `TelephonyManager` to undermine India’s **UPI SIM-binding** controls. The technique can intercept registration tokens and 2FA, spoof device identity/phone number, and exfiltrate data to **Telegram**; it also uses **Socket.IO** for real-time C2 and can remotely inject fabricated SMS entries into the device’s “Sent” database to make bank backends believe a SIM is present on a different device, enabling scalable payment fraud and account takeover. Separately, Acronis TRU (reported by Hackread) identified a **fake Red Alert** rocket-warning app distributed via SMS lures impersonating Israel’s Home Front Command; the trojanized app displays legitimate alerts to reduce suspicion while requesting extensive permissions to steal **GPS location**, **SMS/OTP**, contacts, installed-app inventory, and on-device account details, then exfiltrates data to a remote server, including via **certificate spoofing** and UI tricks to appear Play Store-installed. Zimperium reported a new Android RAT, **SurxRAT**, that can download and run **LLM modules** from third-party repositories to automate phishing and social engineering and to interact with apps/UI for credential theft and data exfiltration, reinforcing the need for behavior-based mobile detection, tighter app controls, and stronger integrity enforcement (e.g., *Play Integrity API* with `MEETS_STRONG_INTEGRITY`) where applicable.
1 months ago