Threat detection
The Threat tab runs a small set of on-device detectors continuously and surfaces their findings as alerts in a feed. Every detector is deterministic — it follows a rule, not a model — so its behaviour is auditable and reproducible.
What's monitored
The detection pipeline checks five environment surfaces in parallel:
- Cellular — the neighbour-cell list, broadcast SIBs, paging patterns, RAT downgrades, and TAC changes without corresponding motion. This is where IMSI catchers, paging-storm interception, and Stingray-style downgrade attacks show up.
- Wi-Fi — beacon-frame fingerprints, deauth bursts, and SSID/BSSID drift. Catches evil-twin access points and Pineapple-style interception rigs.
- Bluetooth Low Energy — proximity tracker fingerprints (Tile, AirTag, Galaxy SmartTag, Chipolo, etc.) within scan range.
- App audit — permission drift on installed packages compared to the baseline taken at threat-tab open.
- Geographic baseline — every cellular observation is grouped by a six-character geohash. Anything that doesn't match the baseline for that geohash gets surfaced; the baseline grows automatically as you spend time in each area.
The Threat tab
Five sections, top to bottom:
- Risk meter — sum of recent alert severities, capped at 100.
- Detection mode — which tier of heuristics is currently active. Tier 0 is the default and uses NetMonster reflection plus AIMSICD-style cell-info checks. Tier 1 requires an SDR dongle plugged in over USB-OTG. Tier 2 requires root.
- Hardened Mode toggle — opens the Hardened Mode walkthrough.
- Incident response — four-button runbook covered in Hardened Mode.
- Recent alerts — the last fifty alerts, newest first.
Reading an alert
Each alert carries:
- A summary in plain English.
- A severity — Low, Medium, High, or Critical.
- A timestamp in your local time.
- A geohash of where the alert was triggered (six characters, about 1.2 km square).
- An evidence blob — JSON with the raw values that triggered the rule. Tap to expand.
Severity is purely a sum of rule-confidence weights. None of the detectors directly trigger a destructive action — the panic button is always user-initiated.
Heuristics
| Heuristic | Looks for |
|---|---|
| BTS Algorithm | Implausible cell-broadcast values (LAC/CID/MCC/MNC outside the carrier's range, or duplicate cells from different operators) |
| RAT downgrade | LTE → UMTS → GSM forced downgrades |
| TAC change without motion | Tracking-area updates without a corresponding accelerometer-based location shift |
| EARFCN allocation | Cells operating on out-of-band ARFCN values |
| Reattach storm | Multiple network-rejection / reattach cycles in a short window |
| Evil-twin Wi-Fi | SSIDs that match a known good one but with different BSSID and weaker security |
| BLE tracker | Manufacturer-data patterns matching known commercial trackers |
| App permission diff | Permissions appearing on installed packages after baseline |
Per-location baseline
Tetherand does not ship a global cell-tower database — that would need ongoing updates and reveal which DBs you mirror. Instead, the first time the phone visits a given geohash, the cells it sees there become the baseline for that hash. Subsequent visits that introduce new cells, especially ones with implausible parameters, fire alerts.
The baseline lives in the on-device Room database, encrypted at rest. It is never transmitted.
Panic button
The bright-red PANIC button at the bottom of the Threat tab does three things atomically:
- Stops the privacy chain.
- Disconnects the Wi-Fi adapter.
- Drops the cellular radio into airplane mode.
It does not wipe data. For that, see the Burn button in Hardened Mode.
Detection tiers
The default Tier 0 runs on stock Android with no extra hardware. The optional tiers add fidelity:
| Tier | What it adds | Requires |
|---|---|---|
| Tier 0 | NetMonster reflection + AIMSICD/SnoopSnitch/Crocodile-Hunter heuristics | Nothing extra |
| Tier 1 | SDR-driven LTE control-channel decode (SIB/MIB parsing, paging-storm detection at the air interface) | RTL-SDR or HackRF One plugged in via USB-OTG |
| Tier 2 | MediaTek modem diagnostic readers (/proc/ccci_md1_*, mdlog parser, AT-command channel) | Root |
Each tier degrades cleanly to the next-lower when its requirement is absent. Tier 1 surfaces "No SDR detected" with a $30 RTL-SDR shopping link; Tier 2 surfaces "Dormant — device is not rooted".