[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-83850-en":3,"doc-seo-83850-105":29,"detail-sidebar-cat-0-en-105":90},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":4,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},83850,8796095462418,"Noah","https://ap-avatar.wpscdn.com/avatar/80000253c1241d02b47?x-image-process=image/resize,m_fixed,w_180,h_180&k=1778826106357471780",6,"Technology","Ghost Traffic: ICMP Tunneling-Based Billing Bypass in LTE Networks","Cellular data billing drives mobile Internet usage accounting, and excluding a protocol from Charging Data Records creates a real security exposure. Some LTE ISPs treat ICMP echo traffic as control traffic and omit it from billing, while Android permits unprivileged creation of ICMP echo sockets via an unsafe default kernel setting. Ghost Traffic combines these conditions by encapsulating application traffic into ICMP echo payloads using Android VpnService and routing through an external proxy. The system targets IPv4 and IPv6-only LTE via two tunneling variants and evaluates end-to-end operation and measurable QoS throttling bypass across multiple ISP environments. Layered countermeasures and responsible disclosure are proposed.","GHOST TRAFFIC: ICMP TUNNELING-BASED BILLING BYPASS  \nIN LTE NETWORKS  \narXiv :2607 .04783v 1 [ cs .CR] 6 Jul 2026  \nJung Jin Kim  \n78ResearchLab  \n114, Bongeunsa-ro, Gangnam-gu Seoul, Republic of Korea, 06123 [crazyhacker@78researchlab.com](crazyhacker@78researchlab.com)  \nSungyup Nam  \n78ResearchLab  \n114, Bongeunsa-ro, Gangnam-gu Seoul, Republic of Korea, 06123 [synam@78researchlab.com](synam@78researchlab.com)  \n Seungho Jeon∗  \nDepartment of Smart Security  \nGachon University  \n1342, Seongnam-daero, Sujeong-gu  \nSeongnam-si, Gyeonggi-do, Republic of Korea, 13120  \n[shjeon90@gachon.ac.kr](shjeon90@gachon.ac.kr)  \nABSTRACT  \nCellular data billing is a core operational mechanism for mobile Internet service providers (ISPs), and a policy gap that excludes a specific protocol from usage accounting can lead to a practical security threat. Some cellular ISPs treat ICMP echo traffic as control traffic rather than user data and exclude it from billing. At the same time, Android allows ordinary applications to create ICMP echo sockets without root privileges because of an unsafe default configuration, and the combination of these two conditions forms a vulnerability that can bypass data billing. Existing billing-bypass attacks either require root privileges to create raw sockets and modify routing tables, or do not provide an end-to-end implementation that works in a non-rooted environment, which limits the threat to a small group of experts. This paper proposes Ghost Traffic, an end-to-end system that uses Android’s VpnService to encapsulate all application traffic into ICMP echo payloads without root privileges and route it through an external proxy server. The proposed system targets both public IPv4 environments and IPv6-only LTE environments through two variants: IPv4 ICMP tunneling and IPv4-over-IPv6 ICMP tunneling. We evaluated its applicability in seven ISP environments in South Korea, Japan, and the United States, and observed end-to-end tunneling in six of them. We observed that billing bypass occurred in multiple environments and quantitatively showed this effect by measuring that Quality of Service (QoS) throttling was not applied even after the data cap was exhausted. Finally, we propose layered countermeasures across the device, platform, and network levels, performed responsible disclosure, and show that the operational practice of not billing ICMP traffic can lead to practical billing bypass.  \nKeywords ICMP tunneling · Billing bypass · Cellular network security · Android · Mobile data charging  \n1 Introduction  \nMobile cellular data billing is performed at the Packet Data Network Gateway (P-GW), and the billing system accounts for data usage based on Internet Protocol (IP) packet flows through Charging Data Records (CDRs) [1, 2] . Internet Control Message Protocol (ICMP) is a control protocol originally designed for network diagnostics, and the payload field of an echo request message (type=8, code=0) can carry arbitrary data within the Maximum Transmission Unit (MTU) [3] . Some mobile ISPs maintain an operational practice of treating ICMP traffic as control traffic rather than  \n∗ Corresponding author.  \nuser data and excluding it from billing policies [4] . Meanwhile, Android allows certain process groups to create ICMP echo sockets without root privileges through the kernel parameter ping_group_range, which was introduced in Linux 2.6.39 [5] . In Samsung Galaxy series devices, the default value of this parameter is set to 0 2147483647, which creates a structural issue in which all ordinary applications can create ICMP echo sockets by calling the socket function.  \nThe combination of billing exemption for ICMP traffic and the ability to carry arbitrary payloads forms a fundamental security vulnerability [3, 4, 6, 7] . An attacker can encapsulate Transmission Control Protocol (TCP)/IP packets in ICMP echo payloads and route all application traffic through an external proxy server. In environments where these condit","cbCaiorUmTNQJ02Y","https://ap.wps.com/l/cbCaiorUmTNQJ02Y","pdf",666776,1,18,"English","en",105,"# Abstract\n# Introduction\n## Mobile data billing and charging records\n## ICMP as control traffic in ISP policy\n## Android ICMP echo socket capability\n## Threat model and comparison with prior attacks\n# Related Work","[{\"question\":\"What vulnerability enables billing bypass in the proposed Ghost Traffic system?\",\"answer\":\"Billing bypass is enabled when an ISP excludes ICMP echo traffic from usage accounting and Android allows ordinary applications to create ICMP echo sockets through an unsafe default configuration, enabling ICMP tunneling without root privileges.\"},{\"question\":\"How does Ghost Traffic perform ICMP tunneling without root access?\",\"answer\":\"Ghost Traffic uses Android VpnService to encapsulate application traffic into ICMP echo payloads, then forwards the encapsulated traffic through an external proxy server, avoiding raw-socket and routing-table modifications.\"},{\"question\":\"What variants does Ghost Traffic support for LTE environments?\",\"answer\":\"It supports IPv4 ICMP tunneling and IPv4-over-IPv6 ICMP tunneling, targeting both public IPv4 deployments and IPv6-only LTE networks.\"}]",1784190974,45,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":85,"head_meta":87,"extra_data":89,"updated_unix":27},"ghost-traffic-icmp-tunneling-based-billing-bypass-in-lte-networks","",{"@graph":35,"@context":84},[36,53,67],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/technology/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/ghost-traffic-icmp-tunneling-based-billing-bypass-in-lte-networks/83850/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":61,"encodingFormat":60,"isAccessibleForFree":62,"interactionStatistic":63},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-16",true,{"@type":64,"interactionType":65,"userInteractionCount":4},"InteractionCounter",{"@type":66},"ViewAction",{"@type":68,"mainEntity":69},"FAQPage",[70,76,80],{"name":71,"@type":72,"acceptedAnswer":73},"What vulnerability enables billing bypass in the proposed Ghost Traffic system?","Question",{"text":74,"@type":75},"Billing bypass is enabled when an ISP excludes ICMP echo traffic from usage accounting and Android allows ordinary applications to create ICMP echo sockets through an unsafe default configuration, enabling ICMP tunneling without root privileges.","Answer",{"name":77,"@type":72,"acceptedAnswer":78},"How does Ghost Traffic perform ICMP tunneling without root access?",{"text":79,"@type":75},"Ghost Traffic uses Android VpnService to encapsulate application traffic into ICMP echo payloads, then forwards the encapsulated traffic through an external proxy server, avoiding raw-socket and routing-table modifications.",{"name":81,"@type":72,"acceptedAnswer":82},"What variants does Ghost Traffic support for LTE environments?",{"text":83,"@type":75},"It supports IPv4 ICMP tunneling and IPv4-over-IPv6 ICMP tunneling, targeting both public IPv4 deployments and IPv6-only LTE networks.","https://schema.org",{"og:url":51,"og:type":86,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":88,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":91},[92,96,100,104,109,112,117,122,127,130,134],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":93,"show_sort_weight":94,"slug":95},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":97,"show_sort_weight":98,"slug":99},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":101,"show_sort_weight":102,"slug":103},"Exam",70,"exam",{"id":105,"doc_module":4,"doc_module_name":45,"category_name":106,"show_sort_weight":107,"slug":108},5,"Comic",60,"comic",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":110,"slug":111},50,"technology",{"id":113,"doc_module":4,"doc_module_name":45,"category_name":114,"show_sort_weight":115,"slug":116},7,"Healthcare",40,"healthcare",{"id":118,"doc_module":4,"doc_module_name":45,"category_name":119,"show_sort_weight":120,"slug":121},8,"Research & Report",30,"research-report",{"id":123,"doc_module":4,"doc_module_name":45,"category_name":124,"show_sort_weight":125,"slug":126},9,"Religion & Spirituality",20,"religion-spirituality",{"id":125,"doc_module":4,"doc_module_name":45,"category_name":128,"show_sort_weight":125,"slug":129},"World Cup","world-cup",{"id":131,"doc_module":4,"doc_module_name":45,"category_name":132,"show_sort_weight":131,"slug":133},10,"Lifestyle","lifestyle",{"id":135,"doc_module":4,"doc_module_name":45,"category_name":136,"show_sort_weight":105,"slug":137},19,"General","general"]