Commercial spyware doesn't need your permission. Pegasus, Predator, and Hermit operate invisibly on your device right now. SmartScan performs forensic-grade network analysis to expose what your antivirus cannot see.
Commercial spyware is no longer exclusive to nation-states. Any government, corporation, or criminal with $25K can deploy it against you.
No link to click. No file to download. Modern spyware exploits vulnerabilities in iMessage, WhatsApp, and SMS to silently take control. Your device is compromised before you know it exists.
Microphone, camera, GPS, messages, calls, passwords, encrypted chats — everything. Spyware operators see more of your life than you remember yourself. Even Signal and Telegram are compromised at the device level.
Designed by intelligence agencies, these tools leave no visible traces. No app icons, no battery drain warnings, no suspicious notifications. Traditional security software is blind to them.
NSO Group, Intellexa, RCS Lab — mercenary spyware vendors sell to 87+ countries. Journalists, activists, lawyers, executives: if you matter to someone, you're a target.
SmartScan performs real-time network traffic analysis through secure ephemeral tunnels to identify spyware communication patterns that endpoint protection cannot detect.
Log in to the SmartScan platform. If you have credits, launch a forensic session.
A WireGuard-based ephemeral capture tunnel is generated. All traffic is securely routed through it.
The system captures network traffic in real time — no manual PCAP upload required.
Forensic analysis runs against 45+ signatures. Full MITRE ATT&CK Mobile & Enterprise v18.1 mapping included.
Real output from SmartScan forensic analysis. Every finding is mapped to MITRE ATT&CK techniques with severity scoring.
Every finding includes packet timestamps, hash verification, and methodology documentation suitable for legal proceedings.
Share findings with threat intelligence platforms. Compatible with MISP, OpenCTI, and enterprise SIEM solutions.
Non-technical overview for leadership and legal teams. Clear risk assessment and recommended immediate actions.
Referenced packet captures for each finding. Cryptographic hashes ensure evidence integrity throughout chain of custody.
Used by organizations that cannot afford to be compromised.
Counter-intelligence and protective security divisions
Digital forensics units investigating spyware abuse
Fortune 500 executive protection programs
Major newsrooms protecting investigative journalists
Court-defensible analysis requires separating facts from interpretation. Our 4-step framework ensures every conclusion is evidence-based and legally admissible.
Objective, measurable technical facts extracted directly from network traffic. No interpretation — just raw data with timestamps and packet references.
Technical meaning of the observation based on protocol standards, industry knowledge, and contextual analysis.
Multiple possible explanations are considered — not just the most alarming one. We present alternatives to let investigators decide.
Probability assessment based on corroborating evidence across multiple engines. Confidence scores reflect real statistical correlation.
"A forensic conclusion without multiple hypotheses is an opinion, not evidence."— SmartScan Forensic Analysis Philosophy
No tool detects everything. We believe transparency about our limitations builds trust and helps you make informed decisions.
Our detection is only as good as our IOC database. We aggregate indicators from the world's most trusted threat intelligence sources — updated automatically.
Aggregated from Amnesty Tech, Citizen Lab, Google TAG, Microsoft MSTIC. Covers Pegasus, Predator, Hermit, FinSpy, Candiru, QuaDream, Chrysaor.
JA3 fingerprints, malicious certificates, and C2 IPs from SSL Blacklist. Primary source for TLS-based threat detection.
Full JA4+ fingerprint suite: JA4, JA4S, JA4H, JA4T, JA4X. Identifies apps, libraries, malware, and OS from TLS patterns.
IOCs shared by the infosec community. Domains, IPs, file hashes, and JA3 fingerprints for active malware campaigns.
Banking trojan C2 infrastructure. Tracks Emotet, TrickBot, QakBot, IcedID, and Dridex command servers.
Malware distribution URLs. Tracks active download sites for trojans, ransomware, and mobile malware droppers.
Suricata rules curated for mobile forensics. Covers mobile malware, stalkerware, RATs, and botnet C2 patterns.
Threat actor and tool clusters. Links IOCs to known APT groups and commercial spyware vendors.
"Don't Route Or Peer" list. IP ranges hijacked by spammers, bullet-proof hosters, and malware operators.
Legitimate domain whitelist. Reduces false positives by excluding known-good traffic from analysis.
Our reports are designed to meet evidentiary standards for legal proceedings. Every finding includes cryptographic verification and chain of custody tracking.
Every PCAP file, log, and analysis artifact is hashed with SHA256. Any modification breaks the hash, proving evidence integrity.
Complete audit trail: who collected evidence, when, from where. Each custody event is cryptographically linked to prevent tampering.
Our methodology follows NIST guidelines for digital forensics: collection, examination, analysis, and reporting phases.
Evidence handling follows international standards for identification, collection, acquisition, and preservation of digital evidence.
Every network event has precise UTC timestamps traceable to original packet capture. Essential for timeline reconstruction.
Standardized threat intelligence format accepted by law enforcement and intelligence agencies worldwide.
Every finding is mapped to MITRE ATT&CK v18.1 — both Mobile and Enterprise matrices. We focus on PCAP-observable techniques relevant to spyware network forensics.
Every hour you wait is another hour of surveillance. Connect through our secure tunnel and get answers in minutes, not days.
Authenticated users with credits can launch sessions instantly. All traffic is captured through ephemeral WireGuard tunnels. Enterprise plans include dedicated infrastructure and on-premise deployment options.
Actual SmartScan detection reports from infected devices. Each case demonstrates our multi-engine correlation, MITRE ATT&CK mapping, and kill chain analysis. Names redacted for privacy.
IOC match with known C2 infrastructure. Full kill chain from initial access to data exfiltration.
Behavioral detection + JA3 fingerprint match. Encrypted C2 communication with certificate anomalies.
Commercial surveillance app with persistent beaconing. Location tracking and SMS exfiltration detected.
Credential harvesting malware with data exfiltration to multiple C2 endpoints. Browser data theft patterns.
⚠️ Attribution Note: Spyware family names (e.g., Pegasus, Predator) are reported only when IOC or JA3/JA4 fingerprints match verified indicators from Citizen Lab, Google TAG, Amnesty Tech, or similar sources. For behavioral-only detections, we report threat category without specific attribution.
Our detection engine covers the most comprehensive database of mobile surveillance tools, from nation-state grade spyware to commercial stalkerware.
Our evidence handling process follows ISO 27037 and NIST SP 800-86 guidelines, ensuring digital evidence admissibility in legal proceedings worldwide.
PCAP file uploaded via TLS 1.3 encrypted channel. Original file preserved in write-protected storage.
Working copy created for analysis. Original remains untouched and cryptographically verified.
Automated analysis with complete audit trail. Every action logged with timestamps.
Comprehensive report with cryptographic proof of evidence integrity throughout.
Evidence securely deleted after retention period (or immediately upon request).
Documented investigations demonstrating SmartScan's detection capabilities. All cases anonymized to protect client confidentiality.
European investigative journalist suspected targeted surveillance after sources compromised.
Victim suspected spouse had installed monitoring software. Law enforcement referral.
Fortune 500 executive's device showing anomalous battery drain and data usage.
Embassy staff devices analyzed after suspected state-sponsored intrusion.
📋 All case details anonymized per client confidentiality agreements. Specific technical indicators redacted. Available for detailed discussion under NDA.
Our forensic experts provide courtroom testimony and technical consultation for civil and criminal proceedings involving digital surveillance evidence.
Qualified expert witnesses with extensive experience testifying in federal, state, and international courts on mobile forensics and surveillance technology.
Comprehensive written opinions meeting Daubert/Frye standards, suitable for submission as evidence in legal proceedings.
Pre-litigation technical assessment to evaluate evidence strength and develop case strategy involving surveillance allegations.
Critical review of opposing expert reports and forensic analyses to identify methodological flaws or unsupported conclusions.
For expert witness inquiries, contact our legal services team:
legal@securepath.bizMulti-layer detection pipeline combining signature matching, behavioral analysis, and machine learning for comprehensive threat identification.
Time-sensitive investigations require rapid response. Our SLA commitments ensure you get results when you need them.
💡 SLA Guarantee: If we miss our committed turnaround time, you receive a 50% credit on that analysis. No questions asked.
An honest comparison with other mobile forensics and spyware detection solutions. Different tools for different use cases.
| Feature | SmartScan | MVT (Amnesty) | Cellebrite UFED | Oxygen Forensic | iVerify |
|---|---|---|---|---|---|
| Analysis Method | Network/PCAP | Device Backup | Physical/Logical | Physical/Cloud | On-device scan |
| No Physical Access Required | Yes | No (backup needed) | No | No | Partial |
| Pegasus Detection | Yes (C2 + IOC) | Yes (artifacts) | Limited | Limited | Yes |
| Spyware Families Covered | 200+ | ~20 | App-dependent | App-dependent | ~30 |
| JA3/JA4 Fingerprinting | 2,500+ signatures | No | No | No | No |
| MITRE ATT&CK Mapping | 138 techniques | No | Basic | Basic | No |
| Real-time C2 Detection | Yes | No (post-mortem) | No | No | Limited |
| DGA Detection | ML-based | No | No | No | No |
| Court-Admissible Reports | ISO 27037 | Manual | Yes | Yes | No |
| Expert Witness Available | Yes | Community | Yes ($$$) | Yes ($$$) | No |
| Threat Intel Integration | 10+ feeds | Citizen Lab IOCs | Proprietary | Proprietary | Limited |
| Open Source | No (SaaS) | Yes (Python) | No | No | No |
| Pricing | From Free | Free | $10,000+/year | $5,000+/year | $100/scan |
| Best For | Network forensics, ongoing monitoring | Post-compromise analysis | Law enforcement (physical) | Enterprise forensics | Quick consumer checks |
📋 Note: This comparison is based on publicly available information as of January 2026. MVT (Mobile Verification Toolkit) by Amnesty International is an excellent open-source tool for device forensics and we recommend using it in conjunction with SmartScan for comprehensive analysis. SmartScan specializes in network-based detection where physical device access is not possible or desired.
Key terms and concepts used in mobile forensics and spyware detection. Essential reading for legal professionals and non-technical stakeholders.
Military-grade spyware developed by NSO Group (Israel). Capable of zero-click exploitation
of iOS and Android devices. Can access all data including encrypted messages. Primary targets: journalists,
activists, politicians. Detection via network C2 patterns and IOC matching.
Commercial spyware by Cytrox/Intellexa (North Macedonia/Greece). Similar capabilities to Pegasus
but different C2 infrastructure. Uses one-click exploitation via malicious links.
Sanctioned by US Commerce Department in 2023.
Italian-made surveillance software by RCS Lab. Deployed by governments in Italy, Kazakhstan, Syria.
Distributed via fake carrier apps. Requires user interaction to install but has extensive surveillance capabilities.
Commercial surveillance apps marketed for "parental monitoring" or "employee tracking" but commonly
used for intimate partner surveillance. Examples: mSpy, FlexiSpy, Cocospy.
Typically requires physical access to install.
Packet Capture - Standard file format for storing network traffic. Contains raw network
packets with timestamps. Created by tools like Wireshark, tcpdump.
The primary evidence format analyzed by SmartScan.
TLS client fingerprinting technique that creates a hash of SSL/TLS handshake parameters.
Each application has a unique fingerprint. JA3 = MD5 hash, JA4 = newer format with more detail.
Used to identify malware even when domain changes.
Command and Control - Server infrastructure used by attackers to send commands to compromised devices and receive stolen data. Spyware "phones home" to C2 servers. Detection focus: identifying C2 communication patterns in network traffic.
Periodic network connections from malware to C2 servers at regular intervals (e.g., every 60 seconds). Creates a recognizable pattern in traffic analysis. Jitter (randomization) may be added to evade detection.
Indicator of Compromise - Artifacts that indicate potential intrusion: IP addresses,
domains, file hashes, URLs. Shared via threat intel feeds. Example: domain.tld is known Pegasus C2.
Domain Generation Algorithm - Malware technique that algorithmically generates new domain names for C2. Makes blocking difficult as domains change. SmartScan uses ML to detect DGA patterns.
Global knowledge base of adversary tactics and techniques. Organized by phases: Initial Access → Execution →
Persistence → ... → Exfiltration. SmartScan maps findings to 138 techniques across Mobile and Enterprise matrices.
Transport Layer Security - Encryption protocol for secure communication. HTTPS uses TLS. Even encrypted traffic reveals metadata: certificate info, handshake patterns, timing. Spyware often uses self-signed or anomalous certificates.
Documentation of evidence handling from collection to court presentation. Must show: who collected, when, how stored, who accessed. Essential for evidence admissibility. SmartScan maintains automatic chain of custody records.
Cryptographic fingerprint of a file. Any modification changes the hash completely.
Used to prove evidence integrity: if hash matches, file is unaltered.
Example: e3b0c44298fc1c149...
Bit-for-bit exact duplicate of digital evidence. Original preserved, copy used for analysis. Verified via hash comparison before and after copying. Prevents contamination of original evidence.
Unauthorized transfer of data from a compromised device to attacker-controlled servers. Spyware exfiltrates: messages, photos, location, contacts, call recordings. Often encrypted and sent to C2 infrastructure.
Attack that requires no user interaction. Device compromised by receiving a message, image, or call - victim doesn't need to click anything. Pegasus famously uses zero-click exploits via iMessage and WhatsApp.
Remote Access Trojan - Malware providing remote control of infected device.
Capabilities: screen viewing, file access, camera/mic activation, keylogging.
Examples: AndroRAT, SpyNote, AhMyth.
Measuring randomness in data. Encrypted or compressed data has high entropy (~8 bits/byte). Used to detect hidden encrypted channels in seemingly normal traffic. Abnormal entropy in DNS queries may indicate DNS tunneling.
Information about threats: IOCs, attacker TTPs, malware signatures.
Sources: Citizen Lab, Amnesty Tech, Google TAG, commercial feeds.
SmartScan integrates 10+ threat intel feeds updated daily.