By ByteBot
Security researchers at The Citizen Lab discovered two surveillance campaigns exploiting global telecoms infrastructure, revealed today (April 23, 2026). Surveillance vendors operated as “ghost” companies—pretending to be legitimate cellular providers—to access SS7 and Diameter protocols and track phone locations. Three specific telecom providers repeatedly enabled the surveillance: Israeli operator 019Mobile, British provider Tango Networks U.K., and Airtel Jersey on the Channel Islands. They didn’t hack the networks. They walked right through the front door.
The discovery exposes a fundamental weakness in mobile infrastructure affecting billions of users worldwide. Even “modern, secure” 4G and 5G networks running the Diameter protocol suffer from the same critical vulnerabilities that have plagued older 2G and 3G networks using SS7 for decades. If you’re a developer building mobile apps and assuming the carrier handles security—stop. It doesn’t.
How Ghost Companies Exploit Telecoms
SS7, the signaling protocol for 2G and 3G networks, was developed in the 1970s with two fatal flaws: no authentication and no encryption. Anyone with network access can send location queries with a 70% success rate. The problem? Thirty percent of mobile connections still use 2G or 3G networks, according to GSMA’s 2021 report.
Diameter, designed to replace SS7 for 4G and 5G, was supposed to fix these problems. It didn’t. Security researchers confirm Diameter “suffers from many of the same fundamental flaws”—lack of end-to-end authentication, no integrity checks, and an outdated trust model. Add widespread misconfiguration, and you have 100% of 4G networks susceptible to denial-of-service attacks and an 89% success rate for location tracking, according to P1 Security’s analysis.
The ghost companies masquerade as legitimate cellular providers, gaining network access to query subscriber location data. The three telecoms identified—019Mobile, Tango Networks U.K., and Airtel Jersey—”repeatedly acted as surveillance entry and transit points.” Not once. Repeatedly. That’s a vetting failure, not a technical accident.
Real-World Attacks Happening Now
In July 2025, cybersecurity firm Enea exposed a surveillance vendor in the Middle East exploiting a new bypass attack to request subscriber location data—active since late 2024. In 2024, a cybercrime group in Europe intercepted SMS messages from thousands of banking customers, draining millions of euros by exploiting SS7 weaknesses.
Also in 2024, Kevin Briggs of the U.S. Cybersecurity and Infrastructure Security Agency reported to the FCC that SS7 and Diameter hacks had been used in “numerous attempts” to acquire location data, intercept messages, and influence voters. Senator Ron Wyden released DHS information identifying China, Russia, Iran, and Israel as primary countries exploiting SS7 for espionage.
What Developers Must Know
You cannot trust network-level security. End-to-end encryption is mandatory. SMS-based two-factor authentication is broken—SS7 and Diameter allow attackers to bypass it by intercepting messages. Location data can be intercepted in transit.
The Android Developers blog recommends data minimization: don’t collect location data you don’t need, minimize precision and frequency, and use foreground location instead of background unless necessary. The FTC’s guidance states: “The developer is the final line of defense.” You can’t delegate security to carriers. They’ve proven they can’t handle it.
The Citizen Lab has exposed surveillance abuses for over two decades, from uncovering the GhostNet cyber espionage network in 2009 to revealing NSO Group’s spying on Jamal Khashoggi’s circle in 2018. This latest discovery won’t be the last. As long as telecoms operate on outdated protocols and fail to vet network access, surveillance vendors will keep exploiting these vulnerabilities. The infrastructure is broken, and nobody’s rushing to fix it.
