Electronic Disinformation Drops

Posted on by pix
Electronic Disinformation Drops (Banner)

 

Feeding false location & biometric data to crowd-sourced apps

The proactive, Guerrilla approach to privacy doesn’t wait for threats to materialize — it anticipates surveillance, then floods the zone with plausible noise. Rather than hiding in the shadows, you create the shadows. With electronic disinformation drops, you don’t just obscure your location — you seed the map with false signals, turning the crowd-sourced system against itself:  the more credible anomalies in the feed, the less trust anyone can place in any signal — including yours. This isn’t deception for malice; it’s deniability engineering — a tactical refusal to let your digital footprint be cleanly isolated and weaponized. The more people that use this strategy the easier it will be not to trust crowd-sourced apps that track us.

Real-world applications by adversary type:

  • Against a patrol unit monitoring crowd-sourced alerts: You drive past the protest zone while your spoofed device drops 5–10 benign “smoke/chemical smell” reports at nearby intersections — each linked to randomized MACs and offset GPS points — making your actual location indistinguishable from background noise. When they cross-reference the feed, your real signal drowns in the “false alarm” baseline.
  • Facing an investigator with legal access to the app’s back end: Your real report (e.g., “tail vehicle near my home”) gets buried under your own prior decoy reports — same device fingerprint, same Wi-Fi fingerprints, same pattern — but scattered across time and location. The forensic timeline looks consistent (you did use the app), but the correlation between your “anomaly” and your real activity fails to rise above statistical noise.
  • Escalating tension with an ex-partner who tracked you via shared apps (Find My, Life360, etc.): You deploy a persistent spoof loop that cycles between three preset locations (like the gym, cafe, or library) over a 24-hour window — each with realistic dwell times and movement paths — while your actual device sits in a Faraday pouch. When they check the app later, it shows a pattern that feels authentic (“they were at the cafe at 3 PM”), but never where you really were.

This is privacy not invisibility — but as intelligent ambiguity. The goal isn’t to be unseen; it’s to be untrustworthy as a target. Forgotten in the fog.

Practical Steps to Inject “Noise” into Crowd-Sourced Apps

  1. Use a dedicated / secondary device (or VM/emulator) Old Android phone / rooted device / Genymotion VM Why? – Keeps your main device clean; spoofing won’t interfere with real calls, or emergency access.
  2. Enable “mock locations”(Android) – Settings → Developer Options → Enable “Select mock location app” – Install a lightweight mock GPS spoofer (e.g., Fake GPS Go, GPSSpoof, or custom script using `adb shell cmd location mock location`). – Pro tip: Cycle the spoofed location every 15–45 mins to mimic human movement.
  3. Randomize device fingerprints before launching the app `adb shell settings put secure android_id $(head -c 8 /dev/urandom | xxd -p)` `adb shell settings put global device_name “Samsung Galaxy A12″` (or mimicked device) (Optional) Use Mac Address Changer (root) or Spoof MAC to randomize Wi-Fi/Bluetooth MAC per session.
  4. Trigger benign, plausible fake reports – Pre-load non-alarm reports: “lost dog,” “car door open,” “strange smell,” “loitering person” – Time them to precede or follow your real activity (e.g., drop 3 decoy reports 5 mins before/after your actual event). Avoid urgency cues (e.g., “shooter,” “gun visible”) — use low-stakes, ambiguous wording.
  5. Spoof location with jitter and trajectory – Don’t just pin to one fake spot—use way points – Example: “` (lat+0.001, lon+0.002) → wait 5 min (lat+0.002, lon+0.001) → wait 10 min (lat−0.001, lon−0.003) → wait 5 min “` – Tool: `gps-sdr-sim` + `scrcpy` script to auto-cycle points, or use Mock GPS Joy (non-root).
  6. Add Wi-Fi/Bluetooth beacon noise – Deploy low-power ESP32 / Raspberry Pi Pico w/ ESP32 BLE + `ESP32-Probe-ESP` firmware to broadcast fake APs (e.g., “Starbucks_2G”, “Home_WiFi”) with randomized BSSIDs. – Crowd-sourced apps (e.g., Google Location History, Waze) use Wi-Fi fingerprints to refine GPS — this adds secondary noise layer.
  7. Sanitize media before upload – Strip EXIF: `exiftool -All= image.jpg` – Blur faces or sensitive context in-camera (e.g., use Pixel’s “blur before capture” or `ReSpect` ONNX filter). – Delay timestamps by 2–10 mins (not zero — it should look like transmission lag).
  8. Use burst-mode deception – At high-risk moments (entering / leaving a location), trigger 5–10 decoy reports in <2 mins from same device — same pattern, but varying locations / wording. – Overwhelms pattern-recognition models: a single anomaly is notable; 10 similar ones is “background static.”

Key principles embedded:

  • Low footprint: No server, no internet routing — just device-level spoofing.
  • Passive first: Most noise comes from your own past reports, not live streaming.
  • Plausible consistency: Decoy reports look like real users, not bots (e.g., occasional typos, generic phrasing, realistic location drift).  Keeping it “real” and using past data with variations will help to make things believable.

Setting Up Your Device

Wipe & hard reset the device

  • Settings → System → Reset → Erase all data (factory reset)
  • Why? – Removes previous accounts, permissions, and fingerprints. Ensures you have a clean slate.

Enable Developer Options & Mock Location

  • Go to Settings → About Phone → Tap Build Number 7 times (Developer)
  • Return to Settings → System → Developer Options

Enable:

– ✅ USB debugging (required for ADB spoofing or script control)

– ✅ Simulate secondary display (optional: helps with screen mirroring for stealth)

– ✅ Stay awake (optional: prevents sleep during long spoof sessions)

– Critical: Scroll down to “Select mock location app” → Choose your spoofing app (see Step 4).

Install a lightweight mock GPS spoofer

– Download from trusted source (avoid Google Play — privacy risks):

– 🔒 Root: Use Mock GPS Joy (F-Droid) or Fake GPS

Go (APK mirror, verify hash)

– 🟡 Non-root (Android 8–11): Use GPSSpoof (requires ADB once) or Accessibility Service automation (Tasker + GPS spoofer plugin)

– 🟢 Best for reliability: Mock GPS Joy (root) → works even if app updates change location APIs.

Set up persistent spoofed locations

  • Launch the spoofer app
  • Load a pre-planned route or set of points (e.g., using GPX file or saved way points):
    • 2–3 points spaced 200–800m apart from real area
    • Include stops (e.g., coffee shop, bus stop, park bench) with realistic dwell times
    • Pro tip: Save these routes as named presets (name them with easy to remember names:  “Route_A_5min”, “Loop_Downtown”)
    • Let the spoofer auto-pause/resume on motion detection (if supported) to save battery.

How to do the walks:

1. Do a “practice walk” on your own

  • Grab the same older Android device (or a backup phone)
  • Enable Location History (Google) just for this session  Or install a lightweight GPS logger:
    • ✅ GPX Logger (F-Droid) — minimal, open-source, no cloud
    • ✅ Motion Detector (Play Store) — logs track + speed + elevation

Walk:

  • 5 – 15 minutes

Include:

  •  A coffee shop stop (2–5 min pause)
  •  A street crossing (slight pause + direction change)
  • A “look around” loop ( such as a circle around a park block)
  • Keep it mundane: Errand-like, leisurely.

2. Export the GPX file

  • In GPX Logger: Tap menu → Export → choose email/SMS/USB
  • Save to your main device (or cloud—encrypt before upload if needed).

3. Clean & anonymize the GPX

  • Open in a plain text editor (VS Code, Notepad++, VIM)
  • Remove extra tags (e.g., `<extensions>`, `<speed>`, `<course>`) if they break your spoofer
  • Use a script (Python or online GPX trimmer) to:
    • Shift lat/lon by a small offset (e.g., +0.001° lat, −0.0005° lon) → new location, same pattern
    • Add small jitter (±0.0001°) at each point → mimics GPS noise
    • Why shift/jitter? So you don’t reuse your real path — just the motion pattern.

4. Import into mock GPS spoofer 

  •  In Mock GPS Joy (or similar):
    • Tap “Load GPX”
    • Select your cleaned file
  • Set speed multiplier:
    • `1.0x` = walk (realistic for patrol or observation prep)
    •  `0.5x` = very slow (e.g., “loitering”)
    • Save route as “Route_B_2minLoop”, etc.

5. Optional: Add “stop points” manually

  • Even better: Record just the stops (coffee shop, bus stop, mailbox) → then build a loop between them:

“`

A (coffee shop) → 10s pause

B (bus stop) → walk (45s) → 5s pause

C (side street) → walk (30s) → loop back

“`

NOTES:

When I was working out the walks for my city, I checked on a few things. I wanted to make the walks seem like exercise, but I also wanted a few just to go and get a few things like going to the grocery store, get a hair cut and other mundane “cycle of life” errands. I decided to make a few of the exercise ones around the  area so it looked “normal” for me to be out there. Also the other trips. By doing this I had essentially “Lines” of varying lengths with the data I would need. I could “rotate” them and make “New Walks” that looked as natural as the actual ones, just not where I was. This is a very powerful concept. With just a bit of legwork, we can be in a totally different place.

 

Randomize device identity (fingerprint spoofing)

– Root required for full spoofing, but here’s what’s possible:

– ✅ Device ID (android_id):

“`bash

adb shell settings put secure android_id $(head -c 8 /dev/urandom | xxd -p)

“`

(Can be scripted to cycle daily)

– ✅ Device name:

“`bash

adb shell settings put global device_name “SM-A520F” # e.g., mimics Samsung A52

“`

– 🌐 Wi-Fi MAC:

– Root: Use Random MAC or `macchanger -r wlan0`

– Non-root: Disable “Use random MAC” → then manually toggle Wi-Fi on/off repeatedly (some OEMs randomize on each reconnect).

– Bluetooth MAC: Harder; skip if not critical (few apps use BT MAC for geo-triage).

Configure app permissions carefully

– For each crowd-sourced app (Citizen, Nextdoor, Waze, and others):

– Location: “Allow all the time” (essential for spoofed location to register)

– Camera/Mic: Disable (no media upload = less forensic trace)

– Contacts/Storage: Disable (prevent cross-app correlation)

– Do NOT grant notifications or background activity permissions beyond location — most apps only need location to function.

Pre-load decoy reports

– Log into each app once (using burner email if possible)

– Manually enter 5–10 benign reports before deployment:

– Use vague but realistic phrasing:

> “Unusual smell near Main & 5th — not sure what it is.”

> “Car door open in parking lot for 20+ mins.”

– Location: Use same locations as spoofed route (so reports align with GPS)

– Timestamp: Backdate by 1–2 days (apps trust recent consistency)

– Why? Gives “history” — makes real spoofed reports blend in.

Power & battery optimization

– In Battery Settings:

– ✅ Disable battery optimization for your spoofer app & crowd-sourced apps

– Enable High-performance mode (if available)

Remove SIM :

– Prevents carrier-based triangulation and call/log linkage

– Device stays connected to Wi-Fi only

Verify spoofing works across apps

– Launch each app separately

Check:

  • App shows your spoofed location (not your real one)
  • Reports you submit appear at spoofed coordinates
  • No “inconsistent location” warnings (if warned, increase GPS jitter: ±0.002° = ~200m)
  • Use GPS Status & Toolbox (F-Droid) to confirm:
    • Satellites tracking → yes
    • “Mock location” indicator → enabled
    • Wi-Fi/Bluetooth scan → active (helps app triangulate spoofed fingerprint)

 

Conclusion

Taking the time to use crowd-sourced apps against themselves gives us a lot of leverage because they are believable – someone actually “Saw this happening”.  The ambiguity that this raises when you and others start this will be enormous. You can literally walk around and periodically “flood” the zone and seem to disappear. I have archived this and some of the templates that I used as a proof of concept.

Where to go from here? I have just worked on a few of the many crowd-sourced apps – there are many more out there. It would be nice to have those covered also. You can also script this and have multiple “ghosts” walking around. I am sure that you can use this for good.

 

Guerilla Privacy (c)
Disclaimer:
This article is for individuals at higher risk or in places that have repressive governments. It is intended to augment freedoms that we all hold dear. I do not advocate anything illegal or immoral be done with this knowledge. Be safe out there.

 

How useful was this post?

Click on a star to rate it!

Average rating 4.6 / 5. Vote count: 7

No votes so far! Be the first to rate this post.

Leave a Reply