Frequently Asked Questions

SmartScan is developed by Secure Path Ltd, a UK-registered company.

Our team consists of independent security researchers with:

• No ties to government surveillance programs
• No contracts with intelligence agencies or law enforcement
• No commercial relationships with spyware manufacturers

Our only source of revenue is helping people detect threats. We have no reason to miss anything.

The spyware industry has structural conflicts of interest.

In December 2024, Amnesty International documented how Serbian police used Cellebrite UFED to unlock activists' phones, then immediately installed NoviSpy spyware on them. The same ecosystem that provides "forensic tools" also enables surveillance.

We believe detection tools should be independent from the surveillance industry. That's why we built SmartScan with no connections to spyware vendors, government contracts, or intelligence agencies.

No. Zero commercial, technical, or political relationships with:

• NSO Group (Pegasus)
• Paragon Solutions (Graphite)
• Intellexa / Cytrox (Predator)
• RCS Lab (Hermit)
• Candiru (DevilsTongue)
• QuaDream (REIGN)
• Any other surveillance technology vendor

We don't sell spyware. We don't work with those who use it. We only detect it.

Every documented Pegasus infection was discovered by independent researchers — not by commercial security products.

Citizen Lab (University of Toronto) and Amnesty International Security Lab have detected and documented virtually all known government spyware campaigns. Standard commercial tools consistently missed these infections.

We use the same IOC databases that independent researchers publish, combined with network behavioral analysis that doesn't rely on file-system access.

Access is not the same as incentive.

In December 2024, Amnesty International's Security Lab documented how Serbian police used Cellebrite UFED to unlock activists' phones — then infected them with NoviSpy spyware. The tool designed for lawful access became the delivery mechanism for government surveillance.

When a company's revenue depends on government contracts, detecting the same governments' spyware creates a fundamental conflict of interest. This isn't speculation — it's documented.

We aren't making claims — we're pointing to publicly documented facts:

• Amnesty International December 2024: Cellebrite used in Serbian spyware infections
• Citizen Lab 2016-2024: Zero commercial security products detected Pegasus before independent researchers
• European Parliament PEGA Committee 2023: Documented systemic failures in spyware detection across commercial tools

You can verify these sources yourself. We're simply acting on the logical conclusion: if you want to detect government spyware, use tools that don't depend on governments for revenue.

Every documented Pegasus infection in history was discovered by independent researchers.

Not by antivirus. Not by enterprise security products. Not by mobile forensics suites. Independent academic and human rights researchers — Citizen Lab (University of Toronto), Amnesty International Security Lab, and their collaborators — found every case.

This includes infections on devices that had commercial security products installed and running.

Theoretically, any software can be compromised. Here's why our risk is lower:

• No government contracts: We have no financial relationships with agencies that deploy spyware
• Open-source IOCs: Our threat intelligence comes from public sources you can verify
• UK jurisdiction: Registered in the United Kingdom (Secure Path Ltd) — subject to UK law, not extraterritorial requests from spyware-deploying regimes
• Code audit available: Enterprise customers can request source code review

We encourage healthy skepticism. If you're a high-value target, combine SmartScan with device-level analysis using open-source tools like MVT.

We aggregate indicators from 15+ independent, publicly verifiable sources:

All feeds run via automated pipelines with cryptographic integrity verification. Our database currently contains 50,000+ active IOCs and 1.5M+ whitelisted domains.

CIRCL (Computer Incident Response Center Luxembourg) is the national CERT for Luxembourg, operating under government mandate since 2008.

They maintain the MISP Project — the most widely used open-source threat intelligence platform globally. We have direct access to their MISP instance with:

• 270+ mobile-specific threat tags (Android malware, iOS exploits, stalkerware)
• Government spyware tracking (Pegasus, Predator, etc.)
• Real-time sync via MISP watchers

Government-grade spyware:

• Pegasus (NSO Group) — domains, emails, JA3 fingerprints, process indicators
• Predator (Intellexa/Cytrox) — C2 domains, JA3 fingerprints
• Hermit (RCS Lab, Italy) — network signatures
• NoviSpy (Serbia) — domains, IPs, SHA256 hashes, package names
• Candiru / DevilsTongue (Israel) — network indicators
• QuaDream / REIGN — from Citizen Lab research
• FinSpy / FinFisher (Gamma Group) — historical indicators
• Operation Triangulation (Kaspersky discovery) — iOS implant indicators

Commercial stalkerware:

• mSpy, FlexiSpy, Cocospy, Spyic, and 100+ other families
• Package names, C2 domains, certificates from ECHAP research

Generic malware:

• Android RATs, banking trojans, adware, cryptominers
• From Emerging Threats, ThreatFox, SSLBL

VirusTotal is owned by Google (Alphabet). Commercial feeds may have restrictions on what they share based on business relationships or licensing terms.

We prefer sources with:

• Transparent governance — government CERTs, academic institutions, non-profits
• No commercial conflicts — they don't sell services to spyware operators
• Verifiable methodology — published research papers and IOC documentation

Our sources (CIRCL, Amnesty, Citizen Lab, abuse.ch) exist specifically to protect civil society — not to monetize threat data.

Yes, our reports are designed for legal admissibility. We follow internationally recognized forensic standards:

• NIST SP 800-86 — Guide to Integrating Forensic Techniques into Incident Response
• ISO/IEC 27037 — Guidelines for identification, collection, acquisition and preservation of digital evidence
• RFC 3227 — Guidelines for Evidence Collection and Archiving

Every report includes SHA256 hashes, chain of custody documentation, and packet-level references for each finding. However, admissibility ultimately depends on jurisdiction and the presiding court. We recommend consulting with legal counsel familiar with digital evidence in your jurisdiction.

Chain of custody is tracked cryptographically from capture to report:

• Collection: PCAP files are hashed (SHA256) immediately upon capture
• Transfer: All uploads occur over TLS 1.3 with certificate pinning
• Storage: Evidence is stored in immutable storage with access logging
• Analysis: Each processing step is logged with timestamps and operator ID
• Export: Final report includes complete custody chain as appendix

Each custody event is cryptographically linked to the previous event, creating a blockchain-like integrity chain. Any break in the chain is immediately detectable.

Our analysis methodology is built on the OIHL Framework (Observation-Interpretation-Hypothesis-Likelihood), which ensures forensic conclusions are defensible:

This framework prevents over-interpretation and ensures we never present speculation as fact. Every conclusion shows the underlying evidence and alternative hypotheses considered.

Spyware must communicate. Even the most sophisticated surveillance tools need to:

• Exfiltrate collected data (contacts, messages, location, recordings)
• Receive commands from operators (what to collect, when to activate)
• Send heartbeats to confirm the implant is active

We detect these communications through multiple correlation methods:

• IOC Matching: Known C2 IPs, domains, and URLs from 15+ threat intel feeds
• JA3/JA4 Fingerprints: TLS client fingerprints unique to specific spyware families
• Certificate Analysis: Anomalous certificate chains, self-signed certs, unusual issuers
• Behavioral Analysis: Beacon timing, data volume patterns, protocol anomalies
• Temporal Correlation: Suspicious activity timing relative to user behavior

There's an important distinction:

• Zero-day exploit: The vulnerability used to install the spyware (we don't detect this)
• Command & Control: How the spyware communicates after installation (we DO detect this)

Even Pegasus — which uses sophisticated zero-click exploits — must eventually phone home. When it does, it uses:

• Known C2 infrastructure (documented by Citizen Lab)
• Specific TLS configurations (JA3/JA4 fingerprints)
• Characteristic traffic patterns (beacon timing, volumes)

How Pegasus was discovered in the first place? By analyzing network traffic. Citizen Lab and Amnesty Tech identified Pegasus infections by monitoring DNS queries and TLS connections — the same approach we use.

If spyware communicates, we can potentially detect it — regardless of how it was installed.

JA3 is a method of fingerprinting TLS clients based on the Client Hello packet. Every application has a unique way of initiating TLS connections — the cipher suites offered, extensions used, and their order create a fingerprint.

JA4+ is the next generation, providing more granular fingerprints:

• JA4 — Enhanced client fingerprint (more collision-resistant than JA3)
• JA4S — Server Hello fingerprint
• JA4H — HTTP request fingerprint
• JA4T — TCP fingerprint
• JA4X — X.509 certificate fingerprint

We use the complete JA4+ suite from FoxIO's JA4DB, combined with SSLBL's JA3 blacklist, to identify malicious traffic even when encrypted.

Attribution is only reported when we have high-confidence indicators.

We attribute to specific spyware families (e.g., "Pegasus", "Predator") only when:

• IOC matches known infrastructure from Citizen Lab, Google TAG, Amnesty Tech, or similar authoritative sources
• JA3/JA4 fingerprint matches documented samples
• Certificate chain matches known spyware vendor patterns
• Multiple independent indicators correlate

For behavioral-only detections (suspicious patterns without IOC match), we report the threat category (e.g., "Stalkerware-like beaconing", "Data exfiltration pattern") without claiming specific attribution. This prevents false accusations while still alerting to genuine threats.

Our multi-engine correlation approach minimizes false positives:

• IOC-based detections: Very low FP rate (~0.1%) — these are known-bad indicators
• JA3/JA4 fingerprint matches: Low FP rate (~1%) — fingerprints are highly specific
• Behavioral detections: Moderate FP rate (~5%) — patterns can have legitimate explanations

To further reduce false positives:

• We maintain a Tranco Top 1M whitelist of legitimate domains (academic source)
• We exclude known CDN and cloud provider IP ranges (official CIDR lists)
• We check against 1.5M+ whitelisted domains from CIRCL
• Every finding shows confidence scores and alternative hypotheses

We prioritize accuracy over alerting volume. A "clean" scan is not a failure — it means no indicators were found.

Every finding is mapped to MITRE ATT&CK v18.1 (both Enterprise and Mobile matrices), providing:

• Technique IDs: Standardized identifiers (e.g., T1437.001 - Application Layer Protocol)
• Tactic Context: Where the technique fits in the attack lifecycle (C2, Exfiltration, etc.)
• Kill Chain Phase: Lockheed Martin Cyber Kill Chain mapping
• Severity Weighting: Techniques are weighted by their tactical impact

This standardization allows:

• Integration with SIEM and SOAR platforms that understand ATT&CK
• Comparison with other threat reports using the same taxonomy
• Clear communication with security teams globally

A complete scan consists of two phases:

1. Network Capture: 10 minutes (default)

• Default capture duration to detect C2 beaconing patterns
• Configurable: 5 min (quick triage) to hours/days (dormant threats)
• 10 min recommended because spyware typically beacons every 1-5 minutes

2. Analysis: 1-5 minutes (varies)

• Depends on PCAP size and content complexity
• Small capture (<1 GB): ~1 minute
• Large capture (1-10 GB): 2-5 minutes
• Very large (10+ GB): may take longer

Total: <15 minutes for standard scans (10 min capture + ~5 min analysis).

Analysis engines run in parallel: Zeek protocol analysis, Suricata signatures, behavioral analysis, JA3/JA4 fingerprinting, and threat intelligence correlation.

Feeds are updated automatically on different schedules based on source update frequency:

• Real-time: MISP CIRCL via watchers
• Every 6 hours: SSLBL (JA3, certs, IPs), Feodo, URLhaus, ThreatFox
• Daily: Government Spyware IOCs, Emerging Threats, Spamhaus DROP, Tranco whitelist, Cloud CIDRs
• Weekly: JA4DB (FoxIO)

All feeds run via systemd timers with automatic failure retry. The database currently contains 50,000+ active IOCs.

Reports can be exported in multiple formats:

• PDF Report: Complete analysis with executive summary, technical details, and chain of custody
• STIX 2.1 Bundle: Machine-readable threat intelligence for SIEM/SOAR integration
• JSON: Raw findings data for custom processing
• HTML: Interactive report for browser viewing

STIX 2.1 bundles are compatible with MISP, OpenCTI, Splunk ES, Microsoft Sentinel, and other platforms.

Raw PCAP files are processed and then deleted from our servers after analysis is complete.

Your scan reports are permanently saved in your user dashboard. You can access, download, or share them at any time from your account.

• Reports: Saved indefinitely in your account — accessible anytime
• PCAP files: Deleted after processing (typically within 24 hours)
• Right to deletion: You can request deletion of your reports at any time

We never share your data with third parties (except as required by UK law). All data at rest is encrypted using AES-256.

This is a known evasion technique called domain fronting or CDN hiding. Sophisticated spyware may route traffic through CloudFront, Fastly, or Google infrastructure to blend with legitimate traffic.

Our detection capabilities in this scenario:

• Can detect: Unusual certificate chains, timing anomalies, volume patterns inconsistent with normal CDN usage, domain fronting signatures (SNI ≠ Host header)
• May miss: Perfect domain fronting with clean certificates and normal-looking patterns

We are transparent about this limitation. If you suspect CDN-based evasion, we recommend combining network analysis with device-level forensics for comprehensive coverage.

A clean scan means no indicators were found in the captured traffic — not that your device is definitively uncompromised.

A clean result could mean:

• The device is genuinely clean
• Spyware was present but not active during the capture window
• Spyware uses infrastructure we don't have signatures for
• Traffic was captured before infection occurred

For high-assurance scenarios, we recommend:

• Extended capture periods (24-72 hours minimum)
• Multiple scans over time
• Combining with device-level forensics (MVT, filesystem analysis)

If you're a journalist, activist, politician, or executive who might be targeted by state-sponsored surveillance:

• Use SmartScan for network-level detection
• Combine with MVT (Amnesty's Mobile Verification Toolkit) for device-level analysis
• Contact Access Now's Digital Security Helpline for personalized support
• Consider consulting with independent security trainers

No single tool catches everything. Layered defense is essential for high-risk individuals.