-
Notifications
You must be signed in to change notification settings - Fork 0
Threat Detection
The Threat tab runs a small set of on-device detectors continuously and surfaces their findings as alerts in a feed. Every detector is deterministic — it follows a rule, not a model — so its behaviour is auditable and reproducible.
The detection pipeline checks five environment surfaces in parallel:
- Cellular — the neighbour-cell list, broadcast SIBs, paging patterns, RAT downgrades, and TAC changes without corresponding motion. This is where IMSI catchers, paging-storm interception, and Stingray-style downgrade attacks show up.
- Wi-Fi — beacon-frame fingerprints, deauth bursts, and SSID/BSSID drift. Catches evil-twin access points and Pineapple- style interception rigs.
- Bluetooth Low Energy — proximity tracker fingerprints (Tile, AirTag, Galaxy SmartTag, Chipolo, etc.) within scan range.
- App audit — permission drift on installed packages compared to the baseline taken at threat-tab open.
- Geographic baseline — every cellular observation is grouped by a six-character geohash. Anything that doesn't match the baseline for that geohash gets surfaced; the baseline grows automatically as you spend time in each area.
Five sections, top to bottom:
- Risk meter — sum of recent alert severities, capped at 100.
- Detection mode — which tier of heuristics is currently active. Tier 0 is the default and uses NetMonster reflection plus AIMSICD-style cell-info checks. Tier 1 (M7b) requires an SDR dongle plugged in over USB-OTG. Tier 2 (M7c) requires root.
- Hardened Mode toggle — opens the Hardened Mode walkthrough.
- Incident response — four-button runbook covered in Hardened Mode.
- Recent alerts — the last fifty alerts, newest first.
Each alert carries:
- A summary in plain English.
- A severity — Low, Medium, High, or Critical.
- A timestamp in your local time.
- A geohash of where the alert was triggered (six characters, about 1.2 km square).
- An evidence blob — JSON with the raw values that triggered the rule. Tap to expand.
Severity is purely a sum of rule-confidence weights. None of the detectors directly trigger a destructive action — the panic button is always user-initiated.
| Heuristic | Looks for | Detector source |
|---|---|---|
| BTS Algorithm | Implausible cell-broadcast values (LAC/CID/MCC/MNC outside the carrier's range, or duplicate cells from different operators) | AIMSICD port |
| RAT downgrade | LTE → UMTS → GSM forced downgrades | SnoopSnitch port |
| TAC change without motion | Tracking-area updates without a corresponding accelerometer-based location shift | Crocodile Hunter port |
| EARFCN allocation | Cells operating on out-of-band ARFCN values | Crocodile Hunter port |
| Reattach storm | Multiple network-rejection / reattach cycles in a short window | Crocodile Hunter port |
| Evil-twin Wi-Fi | SSIDs that match a known good one but with different BSSID and weaker security | Wi-Fi scan correlation |
| BLE tracker | Manufacturer-data patterns matching known commercial trackers | Bluetooth scan |
| App permission diff | Permissions appearing on installed packages after baseline | AppOps reflection |
Tetherand does not ship a global cell-tower database (that would need ongoing updates and reveal which DBs you mirror). Instead, the first time the phone visits a given geohash, the cells it sees there become the baseline for that hash. Subsequent visits that introduce new cells, especially ones with implausible parameters, fire alerts.
The baseline lives in the on-device Room database, encrypted at rest via SQLCipher. It is never transmitted.
The bright-red PANIC button at the bottom of the Threat tab does three things atomically:
- Stops the privacy chain.
- Disconnects the Wi-Fi adapter.
- Drops the cellular radio into airplane mode.
It does not wipe data. For that, see the Burn button in Hardened Mode.
Use
Features
Build
Project