TOOLS_SUITE
MOBILE_TELECOM
ACTIVE20 modulesPython

PROTEUS

Mobile attack suite — SS7, delivery, and physical access.

Twenty Python modules across three attack surfaces. SS7 carrier layer: live location via MAP SendRoutingInfo + ProvideSubscriberInfo, call/SMS intercept via RegisterSS, OTP theft via UpdateLocation, IMSI harvest from MSISDN. Mobile delivery: weaponized APK generation with NYX stager callback, legitimate APK repackaging with Smali injection, iOS enterprise .mobileconfig profiles, smishing payloads with tracking, QR deep-link exploits. Physical access: ADB backup extraction (SMS, contacts, WhatsApp, location), APK sideload with persistence, and Frida runtime hook script generation.

scroll to access

Kill_Chain_Position

Reconnaissance
Initial_Access
Execution
Persistence
Privilege_Escalation
Lateral_Movement
Collection
Command_& Control
Exfiltration

Capabilities

What it can do.

SS7 live location tracking

SendRoutingInfoForSM → IMSI resolution, ProvideSubscriberInfo → Cell-ID + LAC → geocoded via Google Geolocation API

SS7 SMS / call intercept

RegisterSS (CFU) call forwarding, ForwardSM interception via UpdateLocation spoofing — both via SigPloit MAP client

SS7 OTP theft

UpdateLocation registration hijack → redirected SMS delivery → OTP extraction from intercepted messaging

IMSI enumeration

MSISDN → IMSI harvest via SendRoutingInfoForSM MAP queries; dry-run mode when SS7 STP is not configured

Android APK weaponizer

Smali source generation with NYX stager callback baked in; apktool decompile→inject→rebuild→jarsigner sign pipeline

APK repackaging + injection

Legitimate APK decompiled via apktool, Frida agent Smali injected, rebuilt and resigned with generated keystore

iOS MDM profile delivery

Enterprise .mobileconfig profile generation with CA cert + proxy + WiFi payload; sideloading without App Store review

ADB device extraction

SMS, contacts, call logs, installed apps, WhatsApp DB, screenshot, location extraction via adb backup + adb pull; auto device detection

Architecture

How it's built.

Python 3.11+ with 10 runtime dependencies. Three sub-packages: ss7/ (7 modules), delivery/ (5 modules), physical/ (4 modules) plus core/ (3 modules) and cli.py. SS7 modules wrap a thin SigPloit MAP client vendored under proteus/ss7/sigploit/ — pyasn1-based ASN.1 encoding + requests-based M3UA transport. All SS7 modules support dry-run mode when ss7_host is unset in ProteusConfig. Delivery modules use subprocess to shell out to Android SDK tools (apktool, aapt, jarsigner, keytool) — all checked via shutil.which() at runtime with graceful fallback. Physical modules drive adb via subprocess.run(). Each module follows the run(config: ProteusConfig) -> MobileArtifact pattern. Typer CLI with 3 subcommand groups: ss7, delivery, physical.

Engagement_Types

Where it fits.

Telecom security assessmentMobile application penetration testingRed team mobile device accessCarrier signaling security review

Also_In_The_Suite

Secure_Channel

Authorized engagements only.

All work requires a signed scope document. Initial contact is encrypted. Response within 48h.

INITIALIZE_CONTACT