top of page
Search

Silent SMS: Tracking Without Malware

  • Writer: Aastha Thakker
    Aastha Thakker
  • 19 hours ago
  • 6 min read

Your Phone Just Reported Its Location and You Got Zero Notifications!


Phone is face-down on the desk. Screen never lights up. No ping, no banner, no LED blink. But somewhere, a server just logged your location down to the nearest cell tower, precise enough to put you in a specific building on a specific street.


You received a message. Your phone processed it at the baseband level. Sent back a confirmation. Then discarded the contents, exactly as the spec instructs it to. No spyware involved. No one touched your device. No zero-day exploited. Someone sent a Type 0 SMS, and the mobile network infrastructure did the rest.


That’s Silent SMS. And the strange part is, it was never hidden from anyone who bothered to read the GSM spec.


What Silent SMS Actually Is


Silent SMS has a few names depending on context: Stealth SMS, Ping SMS, Type 0 SMS, or in German law enforcement circles, Stille SMS. The technical definition comes from 3GPP TS 23.040 (originally GSM 03.40), and it reads:

“A short message type 0 indicates that the ME must acknowledge receipt of the short message but may discard its contents.”

Two things to pull out of that:

  • “Must acknowledge receipt”: your device is required to send a delivery confirmation back to the network.

  • “May discard its contents”: your device is not required to display or store anything.


That mandatory acknowledgment is where everything happens. The moment your phone confirms receipt, the cell tower that handled the routing logs the registration event, timestamp included, along with your Cell ID, the unique identifier of whichever tower you were connected to at that moment.


Anyone with carrier access or SS7 network access can cross-reference that Cell ID against tower coordinates and pin your location. In dense urban areas, that accuracy sits under 100 meters. What surprised me while going through this is how little most people realize this is standard network behavior, not an exploit, not a trick. The network is doing exactly what it was designed to do.


Why SS7 Is the Piece Most People Skip Over

Silent SMS doesn’t operate in isolation. It rides on SS7 (Signaling System 7) which has been the backbone of global telecom signaling since 1975. SS7 was designed when the network was a closed club of trusted operators. No authentication model, because the assumption was that only authorized parties would ever be inside it. That assumption aged badly.


A lot of people assume 5G eliminated these problems entirely, but most current deployments still rely on older 4G core infrastructure underneath. In many regions, 5G operates in NSA (Non-Standalone) mode, where parts of the signaling stack still interact with legacy systems connected to SS7. Full migration away from that ecosystem is slow, which means older signaling risks still remain relevant today.


By 2008, researchers had already demonstrated that SS7 access could be obtained through rogue or cooperative telecom operators. The network never got fixed because fixing it would require replacing infrastructure across hundreds of carriers simultaneously, not something that happens quickly, if at all.


Path taken by Silent SMS takes through SS7:

  • The message originates from an SMS gateway or SMSC (Short Message Service Center) with the TP-PID byte set to 0x40, the flag that marks it as Type 0.

  • The SMSC routes it via MAP (Mobile Application Part) messages to the HLR (Home Location Register), which tracks where the subscriber is currently registered.

  • The HLR confirms the device is active, the message gets delivered to the target device.

  • The target device handles this entirely at the baseband processor level, below the operating system, below every app on your phone and fires back an ACK.

  • That ACK propagates back through the network and gets logged with Cell ID data.

No exploit required. No malware. No physical access. This is not considered malicious traffic by the network; it looks like normal signaling.



Detection: Why It Almost Never Happens

When an Android device receives a Type 0 message, it writes this to the system log:

GsmInboundSmsHandler: Received short message type 0, do not display or store. Send ACK.

That log entry exists. But reading it in real time requires a rooted device.


In May 2010, Google pushed a code change that made Type 0 messages invisible at the OS layer, no notification, no storage, no user-visible trace. The reasoning was standards compliance, and technically they were right. But the practical result is that your phone now silently processes these messages with zero transparency to you.


iOS does the same. Type 0 handling happens at modem firmware level, never surfaces to the app layer.


Tools that can help, with caveats:

  • SnoopSnitch (Android, root required): monitors baseband signaling in real time, alerts on Type 0 messages and IMSI catcher activity. One of the few tools that actually gets close to the right layer.

  • AIMSICD (Android, discontinued but open source): checks incoming PDU first bytes for 0x40, the Type 0 flag. No longer actively maintained, but the code is worth reading if you want to understand the detection logic.

  • HushSMS: primarily a sending tool; useful for testing Type 0 delivery against your own number in a controlled environment.

  • MobileInsight: aimed at researchers who want to analyze baseband protocol logs in detail.


For anyone on a non-rooted stock Android or iOS device: there is currently no reliable way to detect Silent SMS in real time.


One misconception worth clearing up: encrypted messaging apps like Signal or WhatsApp do not prevent Silent SMS activity. These apps protect message content at the application layer, while Silent SMS operates entirely at the telecom signaling layer underneath it.


VPNs don’t help either. A VPN encrypts internet traffic, but Silent SMS never touches your mobile data session in the first place.


Who Actually Uses This


Law Enforcement


This is where Silent SMS has its most documented real-world usage, and Germany is the clearest example. German authorities have been more transparent than most, parliamentary inquiries forced official acknowledgment that federal agencies were sending hundreds of thousands of silent SMS per year to track suspects.


The process is not complicated:

  1. Get a court order for a specific MSISDN (phone number).

  2. Send silent SMS at regular intervals, every few minutes if needed.

  3. Each message returns Cell ID data through the carrier’s data retention system.

  4. Map those Cell IDs over time and you have a movement trail.


No IMSI catcher hardware. No physical presence near the target. Just carrier cooperation and network access from wherever the agency operates. Compare that to an IMSI catcher, which needs to be physically close to the target, Silent SMS is effectively the remote version of the same capability.


Network Operators

Carriers use the same mechanism for things nobody thinks twice about:

  • Checking if a SIM is active before routing a real SMS

  • OTA (Over-The-Air) provisioning, updating SIM toolkit settings without popping a notification

  • IoT fleet management, pinging thousands of SIM-enabled sensors to verify they’re online

  • Network latency monitoring across cell areas


Same message type. Same mechanism. Completely different context. That’s part of what makes regulating this difficult, the tool itself is neutral.


Where It Gets Misused


This is where Silent SMS stops being telecom trivia and starts becoming a problem.

  • Phone number validation before attacks: Before a phishing campaign or SIM swap attempt, an attacker sends silent SMS to a target list. Numbers that return a delivery ACK are confirmed active. Numbers that don’t respond are likely inactive, ported, or prepaid. This pre-validation step is genuinely useful for attackers; it filters their target list without alerting anyone.

  • Location tracking via cell triangulation: Send silent SMS in quick succession, correlate the delivery timestamps with Cell ID data from SS7 routing, cross-reference with open databases like OpenCelliD — and you have location data. No GPS. No malware. Just signaling metadata.

  • Network downgrade as a setup: Some attacks combine silent SMS with SS7 signaling to push the target device onto a 2G cell. 2G lacks mutual authentication, your phone will connect to any tower that claims to be legitimate. Once on 2G, communication interception gets significantly easier. The silent SMS itself isn’t the main attack here; it’s the setup for what comes next.

  • Baseband flooding: Sending thousands of silent SMS in a short window can overwhelm the baseband processor’s network stack — causing erratic behavior, dropped calls, or a forced reboot. No installation, no payload, no forensic trace on the device. It’s a denial-of-service technique that most people wouldn’t recognize as an attack.

  • Device fingerprinting: The metadata from a delivery receipt, routing path, timing, carrier details, can be analyzed to infer device type, carrier, and location range. This feeds into a target profile for follow-on activity.


The strange part is that none of these are network anomalies from the carrier’s perspective. It all looks like routine signaling.



None of these alone means anything definitive. In combination, they’re worth investigating.


Your phone number is the required input. Silent SMS needs a known MSISDN. The more publicly that number is tied to your identity, the easier you are to target. Using separate numbers for public-facing activity is a reasonable operational choice if the context warrants it.

The scariest signals are often the ones your phone was designed to stay silent about.

Comments

bottom of page