We regularly monitor evolving threats to mobile network security. Due to fundamental design elements in cellular protocols – such as one-way authentication in earlier generations – voice calls and data transmissions remain vulnerable to silent interception by unauthorized devices like IMSI catchers.
What Are IMSI Catchers?
IMSI catchers act as fake base stations, mimicking legitimate cell towers. Nearby devices connect to them, enabling the capture of identifiers such as the IMSI and potential interception of traffic. This threatens privacy, particularly during sensitive communications.
Secure messaging apps provide limited protection, as vulnerabilities exist at the network layer.
Related Scamming Kits
Devices like SMS blasters use similar technology to impersonate towers and broadcast fraudulent messages, evading carrier controls. These contribute to smishing campaigns.
Real-World Incidents
- In February 2025, Philippine authorities arrested five individuals (three Filipinos and two Chinese nationals) using vehicle-mounted IMSI catchers to surveil government and military sites in Metro Manila.
- In March 2025, a suspect was arrested in Pasay City, Philippines, for selling an IMSI catcher capable of data collection within a 500-meter radius, priced at approximately PHP 600,000.
Additional arrests in 2025 involved foreign nationals possessing such devices, highlighting risks to national security.
IMSI Catcher Detection Techniques
Detection of IMSI catchers relies on identifying anomalies in cellular network behavior. Common methods include monitoring for protocol downgrades (e.g., forcing a device from 4G/5G to 2G/3G, where encryption is weaker or absent), unusual cell tower movements, sudden changes in signal strength, or non-standard requests for identifiers.
Android applications such as AIMSICD and SnoopSnitch analyze radio signals for these anomalies, often requiring root access for deeper monitoring. Detection is more challenging on iOS due to restricted access to low-level radio data.
In 4G and 5G networks, mutual authentication reduces risks, but active catchers can still force downgrades to exploit older protocols. Passive catchers are harder to detect as they do not transmit signals.
Network operators can detect suspicious signaling activity via SS7 or similar protocols.
A notable advancement is the open-source tool Rayhunter, released by the Electronic Frontier Foundation in March 2025. It runs on affordable mobile hotspots (such as the Orbic model, costing around $20) and monitors control channel traffic for suspicious events, like unexpected 2G downgrades or unusual IMSI requests, without capturing user data. Rayhunter provides real-time alerts via a simple interface and allows log exports in PCAP format for analysis.
Protection Measures
We at vali.now recommend using verified secure channels with end-to-end encryption and observing network anomalies, such as unexpected downgrades. More research is needed on reliable detection in 5G networks.