Recently, there has been a major investigative report about a little-known surveillance company called First Wap has built a global phone-tracking empire.

What is First Wap?

  • First Wap is a surveillance firm headquartered in Jakarta, Indonesia, but run by European executives.
  • It started in the late 1990s as a wireless application protocol (WAP) company but pivoted to surveillance in the early 2000s.
  • Its flagship system, Altamides (Advanced Location Tracking and Mobile Information and Deception System), exploits vulnerabilities in telecom signaling networks to track phones globally without infecting individual devices or leaving any traces.

How Does It Track Phones Worldwide?

  • First Wap uses Signaling System No. 7 (SS7). Signaling System No. 7 is a set of telephony signaling protocols developed in the 1970s for routing calls and texts between carriers. The protocol was introduced in the Bell System.
  • SS7 was never built with strong security in mind, so First Wap sends location requests disguised as legitimate network queries.
  • This allows them to pinpoint a phone’s location via cell towers, intercept calls and SMS, and even bypass encrypted apps like WhatsApp—all without user intervention or installed malware.

Scale of Operations

  • Investigations uncovered 1.5 million rows of telecom data and evidence of tracking 14,000+ phone numbers across 160 countries, including:
    • World leaders
    • Journalists
    • Human rights defenders
    • Political dissidents
    • Ordinary civilians

Why Is This Concerning?

  • Unlike spyware like Pegasus, this method leaves no trace on the device—no overheating, no battery drain, no malicious links.
  • It’s marketed as “law enforcement technology” but has been sold to authoritarian regimes and private clients, enabling “despotism as a service.”
  • Raises serious concerns about privacy, legality, and global telecom security, as SS7 vulnerabilities remain in use for backward compatibility with older networks.

 How can individuals protect themselves?

Unfortunately, because SS7 vulnerabilities are built into the global telecom infrastructure, there’s no perfect defense, but individuals can reduce risk significantly by following these steps:

  1. Use End-to-End Encrypted Apps
  • Apps like Signal or WhatsApp encrypt messages, so even if calls or SMS are intercepted, your chats remain secure.
  • Avoid relying on SMS for sensitive information (e.g., two-factor codes).
  1. Enable Two-Factor Authentication (2FA)
  • Use app-based 2FA (Google Authenticator, Authy) instead of SMS-based codes, which can be intercepted via SS7 exploits.
  1. Keep Your Device Updated
  • Regular OS and app updates patch vulnerabilities that attackers might exploit alongside SS7 weaknesses.
  1. Use a VPN for Data Privacy
  • A VPN encrypts your internet traffic, making it harder for attackers to monitor your online activity—even if they know your location.
  1. Consider VoIP or Secure Calling
  • Services like Signal voice/video calls or FaceTime use strong encryption, unlike traditional cellular calls.
  1. Travel Precautions
  • When abroad, avoid connecting to unknown networks and consider using temporary SIMs or eSIMs for added security.

Thanks to:
Lighthouse Reports
https://www.lighthousereports.com/methodology/surveillance-secrets-explainer/

Gibson Research Company
https://www.grc.com

Deliver David's Tech Talk to my inbox

We'll send David's weekly Tech Talk to your inbox - including the MP3 of the actual radio spot. You'll never miss a valuable tip again!