Throughout our careers as forensic and anti-fraud investigators, we have probably been asked many times if we can verify if a cellular device is “tapped”. There are multiple forensic techniques in which a variety of devices can be analyzed, from the oldest to the newest, as well as a multitude of software, some free, cheap and others more expensive. However, not all computers are intervened through software, I have analyzed devices that have absolutely nothing installed/modified and yet they are intervened.
Some kind of intervention of cellular devices is being done through call forwarding and impersonation of cellular antennas
So let’s see in this article what these and other intervention techniques are about, which can be used both to listen to conversations and to divert them and what concerns us: to know if our mobile is under one of these two schemes.
Call forwarding or call diversion
Operators have 4 types of forwarding that can be activated: CFU (Call Forwarding Unconditional) which is used to forward all voice calls in case the original call cannot be answered due to being offline, CFB (Call Forwarding on Busy) which is used to forward the call when the line is busy, the CFNRY (Call Forwarding on No Reply) which is used to forward the call if for some reason it is not answered and the CFNRC (Call Forwarding on mobile subscriber Not Reachable) that diverts the call in case the number cannot be reached in the operator (SIM canceled, number disabled).
These characteristics are not typical of a “call interception” system, however they could be used for this purpose. To find out if your telephone has any of these diversions, you must dial the code “*#62#”.
Impersonation of cellular antennas or fake towers
Devices called “fake cell towers” can be found in the Chinese market and what they do is simulate a cell phone antenna to which your device can connect by finding it closest and with the strongest signal. These antennas are being transported in VAN-type cars that park in front of their company, house or apartment.
You can find out which cell tower your phone is connected to at all times by installing the OpenSignal app on the Appstore and Google Play. Once installed, the antenna information, the CELL ID and the LAC (Location Area Code) will be displayed. These numbers can be entered into the opencellid.org public database.
Wiretapping at the operator and at the device
Some countries have telephone interception rooms (operated and managed by government entities, military, police and intelligence agencies) that can be used for “wiretapping”, basically they have access to the two points of the conversation: the origin and the destination. This kind of interception cannot be detected at the endpoint because there are no symptoms or indications that show such activity.
There is the so-called software wiretapping that consists of installing one of the many applications that exist for this purpose on the mobile device. As indicators that allow us to suspect this class of applications we have: abnormal battery consumption, use of the data plan in an unusual way, unwanted ADS in navigation, performance problems, strange text messages, jailbreaks, roots and unrecognized applications.
The spy chip in the batteries
In the Chinese market there is access to a battery that incorporates a chip, with environmental listening and GPS functions, which can be exchanged for the original battery of the device. These kinds of mechanisms can usually be detected by opening the device and verifying the battery serial number with the manufacturer.
(NSA, 2018) Mechanisms of Cell Phone Tapping
NOFRAUD is the company that develops The Fraud Explorer anti-fraud software and supports individuals and companies to face and solve their challenges regarding internal fraud, corruption and corporate abuse. NOFRAUD has created the largest behavioral database of dishonest acts in the world in Spanish and English, which is used by artificial intelligence to find suspicious patterns of corruption within organizations.