Proving there’s nowhere spy agencies won’t go to achieve their aims, a new Snowden leak published jointly by The Intercept and Canada’s CBC News shows the NSA, GCHQ and other Five Eyes allies looking for ways to insert themselves between Google’s app store and end users’ phones.
The National Security Agency and its closest allies planned to hijack data links to Google and Samsung app stores to infect smartphones with spyware, a top-secret document reveals…
The main purpose of the workshops was to find new ways to exploit smartphone technology for surveillance. The agencies used the Internet spying system XKEYSCORE to identify smartphone traffic flowing across Internet cables and then to track down smartphone connections to app marketplace servers operated by Samsung and Google.
Branded “IRRITANT HORN” by the NSA’s all-caps random-name-generator, the pilot program looked to perform man-in-the-middle attacks on app store downloads in order to attach malware/spyware payloads — the same malicious implants detailed in an earlier Snowden leak.
While the document doesn’t go into too much detail about the pilot program’s successes, it does highlight several vulnerabilities it uncovered in UC Browser, a popular Android internet browser used across much of Asia. Citizen Lab performed an extensive examination of the browser for CBC News, finding a wealth of exploitable data leaks. [PDF link for full Citizen Lab report]
In addition to discovering that phone ID info, along with geolocation data and search queries, was being sent without encryption, the researchers also found that clearing the app cache failed to remove DNS information — which could allow others to reconstruct internet activity. Citizen Lab has informed the makers of UC Browser of its many vulnerabilities, something the Five Eyes intelligence agencies obviously had no interest in doing.
But IRRITANT HORN went beyond simply delivering malicious implants to unsuspecting users. The Five Eyes agencies also explored the idea of using compromised communication lines to deliver disinformation and counter-propaganda.
[The agencies] were also keen to find ways to hijack them as a way of sending “selective misinformation to the targets’ handsets” as part of so-called “effects” operations that are used to spread propaganda or confuse adversaries. Moreover, the agencies wanted to gain access to companies’ app store servers so they could secretly use them for “harvesting” information about phone users.
As is the case with each new leak, the involved agencies have either declined to comment or have offered the standard defensive talking points about “legal framework” and “oversight,” but it’s hard to believe any legal mandate or oversight directly OK’ed plans to hijack private companies’ servers for the purpose of spreading malware and disinformation. And, as is the case with many other spy programs, IRRITANT HORN involves a lot of data unrelated to these agencies’ directives being captured and sifted through in order to find suitable targets for backdoors and implants.