Ghost Traffic: ICMP Tunneling-Based Billing Bypass in LTE Networks
2026-07-06 • Cryptography and Security
Cryptography and Security
AI summaryⓘ
The authors found that some mobile internet providers do not count certain control messages (called ICMP echo traffic) towards data usage, which can let people avoid paying for their data. On Android phones, apps can send these control messages without needing special permission, making it easier to exploit this. They created a system called Ghost Traffic that wraps normal app data inside these control messages to bypass data billing, working on many networks in different countries. They also tested and showed this trick lets users keep using data even after their limits are reached. The authors suggest fixes for devices, software, and networks to stop this kind of billing cheating.
cellular ISPdata billingICMP echoAndroid VpnServicedata capQoS throttlingIPv4 tunnelingIPv6 LTEbilling bypass
Authors
Jung Jin Kim, Sungyup Nam, Seungho Jeon
Abstract
Cellular data billing is a core operational mechanism for mobile Internet service providers (ISPs), and a policy gap that excludes a specific protocol from usage accounting can lead to a practical security threat. Some cellular ISPs treat ICMP echo traffic as control traffic rather than user data and exclude it from billing. At the same time, Android allows ordinary applications to create ICMP echo sockets without root privileges because of an unsafe default configuration, and the combination of these two conditions forms a vulnerability that can bypass data billing. Existing billing-bypass attacks either require root privileges to create raw sockets and modify routing tables, or do not provide an end-to-end implementation that works in a non-rooted environment, which limits the threat to a small group of experts. This paper proposes Ghost Traffic, an end-to-end system that uses Android's VpnService to encapsulate all application traffic into ICMP echo payloads without root privileges and route it through an external proxy server. The proposed system targets both public IPv4 environments and IPv6-only LTE environments through two variants: IPv4 ICMP tunneling and IPv4-over-IPv6 ICMP tunneling. We evaluated its applicability in seven ISP environments in South Korea, Japan, and the United States, and observed end-to-end tunneling in six of them. We observed that billing bypass occurred in multiple environments and quantitatively showed this effect by measuring that Quality of Service (QoS) throttling was not applied even after the data cap was exhausted. Finally, we propose layered countermeasures across the device, platform, and network levels, performed responsible disclosure, and show that the operational practice of not billing ICMP traffic can lead to practical billing bypass.