Mobile attack suite — SS7, delivery, and physical access.
Twenty Python modules across three attack surfaces. SS7 carrier layer: live location via MAP SendRoutingInfo + ProvideSubscriberInfo, call/SMS intercept via RegisterSS, OTP theft via UpdateLocation, IMSI harvest from MSISDN. Mobile delivery: weaponized APK generation with NYX stager callback, legitimate APK repackaging with Smali injection, iOS enterprise .mobileconfig profiles, smishing payloads with tracking, QR deep-link exploits. Physical access: ADB backup extraction (SMS, contacts, WhatsApp, location), APK sideload with persistence, and Frida runtime hook script generation.
scroll to access
Kill_Chain_Position
Capabilities
SS7 live location tracking
SendRoutingInfoForSM → IMSI resolution, ProvideSubscriberInfo → Cell-ID + LAC → geocoded via Google Geolocation API
SS7 SMS / call intercept
RegisterSS (CFU) call forwarding, ForwardSM interception via UpdateLocation spoofing — both via SigPloit MAP client
SS7 OTP theft
UpdateLocation registration hijack → redirected SMS delivery → OTP extraction from intercepted messaging
IMSI enumeration
MSISDN → IMSI harvest via SendRoutingInfoForSM MAP queries; dry-run mode when SS7 STP is not configured
Android APK weaponizer
Smali source generation with NYX stager callback baked in; apktool decompile→inject→rebuild→jarsigner sign pipeline
APK repackaging + injection
Legitimate APK decompiled via apktool, Frida agent Smali injected, rebuilt and resigned with generated keystore
iOS MDM profile delivery
Enterprise .mobileconfig profile generation with CA cert + proxy + WiFi payload; sideloading without App Store review
ADB device extraction
SMS, contacts, call logs, installed apps, WhatsApp DB, screenshot, location extraction via adb backup + adb pull; auto device detection
Architecture
Python 3.11+ with 10 runtime dependencies. Three sub-packages: ss7/ (7 modules), delivery/ (5 modules), physical/ (4 modules) plus core/ (3 modules) and cli.py. SS7 modules wrap a thin SigPloit MAP client vendored under proteus/ss7/sigploit/ — pyasn1-based ASN.1 encoding + requests-based M3UA transport. All SS7 modules support dry-run mode when ss7_host is unset in ProteusConfig. Delivery modules use subprocess to shell out to Android SDK tools (apktool, aapt, jarsigner, keytool) — all checked via shutil.which() at runtime with graceful fallback. Physical modules drive adb via subprocess.run(). Each module follows the run(config: ProteusConfig) -> MobileArtifact pattern. Typer CLI with 3 subcommand groups: ss7, delivery, physical.
Engagement_Types
Also_In_The_Suite
Secure_Channel
All work requires a signed scope document. Initial contact is encrypted. Response within 48h.
INITIALIZE_CONTACT