TraceX Labs Warns: Sanchar Saathi Mandate Creates “Pegasus-Style Surveillance Architecture” on Indian Smartphones

The Indian governments decision to mandate the pre-installation of the Sanchar Saathi app on every smartphone in India has ignited a nationwide controversy. Now, cybersecurity researchers at TraceX Labs have issued a high-risk privacy advisory, warning that the app and the mandate together create a Pegasus-like surveillance environment, raising concerns about large-scale, one-way monitoring of user activity.

A Mandatory, Non-Removable App Sparks Fears of State Surveillance

In a recent directive, the Centre ordered all smartphone manufacturers to:

• Pre-install Sanchar Saathi on every new smartphone

• Push the app to existing users via software updates

• Ensure users cannot delete, disable, or modify the app

According to TraceX Labs, this single policy shift fundamentally alters the privacy landscape in India, transforming every smartphone into a potential data surface accessible to the state.

Opposition leaders and privacy activists immediately compared the move to Pegasus, the infamous spyware that infiltrated targeted devices and monitored messages, calls, and movements. While Sanchar Saathi is not technically Pegasus, TraceX Labs notes that the architecture resembles the foundations of a mass surveillance system.

TraceX Labs: Sanchar Saathi Exhibits Spyware-Grade Characteristics

In its internal risk analysis, TraceX Labs states that Sanchar Saathi demonstrates multiple behavioural indicators commonly found in spyware, including:

1. Continuous Location Access

The app requests persistent access to GPS and network-based location data �enabling real-time device tracking.

2. Access to Call & SMS Metadata

Permissions include the ability to detect call activity, monitor network state, and access communication logs.

3. Device Identifier & Network Surveillance

Sanchar Saathi can read IMEI numbers, SIM details, and network information essentially mapping the phones identity.

4. Camera-Adjacent Access

Although not a camera app, Sanchar Saathi requests permissions touching camera-related APIs, a red flag in surveillance assessments.

5. System-Level Persistence

The app is undeletable, cannot be disabled, and is placed in a priority system layer �a key trait of persistent surveillance software.

TraceX Labs concludes:

Sanchar Saathi is not Pegasus, but the forced design and deeply intrusive permissions position it as a Pegasus-style monitoring tool. The user is fully visible to the system, while the system remains invisible to the user.

Political Leaders Call It Pegasus Plus Plus

Multiple politicians reacted strongly:

• Karti Chidambaram said the move is Pegasus plus pluand creates a scenario where Big Brother will take over our phones

• Priyanka Chaturvedi termed it a BIG BOSS surveillance moment

• John Brittas joked that the next step might be ankle monitors and brain implants for 1.4 billion people

• Tehseen Poonawalla called it surveillance at its worst,claiming userscalls, texts, and location data could be accessed.

Across social media, Pegasustrended once again as citizens questioned why a government app needed such sweeping control.

Government Justifies the Move as a Safety Initiative

The Centre claims Sanchar Saathi aims to:

• Prevent the sale of counterfeit phones

• Help users identify stolen devices

• Support SIM misuse tracking

BJP MP Shashank Mani Tripathi defended the mandate, asserting there is no threat to privacyand that our data will be digitally protected.

However, TraceX Labs argues that intent cannot be used to ignore architecture:

Even if designed for safety, an undeletable app with full device visibility forms the backbone of a surveillance system. What matters is capability, not intention.

Why TraceX Labs Calls It a One-Way Monitoring System

The labs primary concern is that Sanchar Saathi creates a one-directional data flow:

• The app sees the user.

• The user cannot see what the app does.

• The user cannot disable it.

• The user has no transparency over data collection.

This behaviour is central to spyware classification.

TraceX Labs summarises the risk as:

The Sanchar Saathi mandate installs a permanent observation window inside every Indian smartphone �a Pegasus-lite system with national-scale reach.

Final Assessment: PegasusNo. Pegasus-Style CapabilitiesYes.

TraceX Labs does not label Sanchar Saathi as malware or Pegasus.
However, it officially categorises the system as:

Spyware-grade, non-removable, government-controlled software capable of one-way monitoring of user activity.

The controversy is not about the app alone it is about the structure of mandatory surveillance it enables.