New Leak Shows NSA's Plans To Hijack App Store Traffic To Implant Malware And Spyware

from the a-spy-in-the-house-of-apps dept

Proving there’s nowhere spy agencies won’t go to achieve their aims, a new Snowden leak published jointly by The Intercept and Canada’s CBC News shows the NSA, GCHQ and other Five Eyes allies looking for ways to insert themselves between Google’s app store and end users’ phones.

The National Security Agency and its closest allies planned to hijack data links to Google and Samsung app stores to infect smartphones with spyware, a top-secret document reveals…

The main purpose of the workshops was to find new ways to exploit smartphone technology for surveillance. The agencies used the Internet spying system XKEYSCORE to identify smartphone traffic flowing across Internet cables and then to track down smartphone connections to app marketplace servers operated by Samsung and Google.

Branded “IRRITANT HORN” by the NSA’s all-caps random-name-generator, the pilot program looked to perform man-in-the-middle attacks on app store downloads in order to attach malware/spyware payloads — the same malicious implants detailed in an earlier Snowden leak.

While the document doesn’t go into too much detail about the pilot program’s successes, it does highlight several vulnerabilities it uncovered in UC Browser, a popular Android internet browser used across much of Asia. Citizen Lab performed an extensive examination of the browser for CBC News, finding a wealth of exploitable data leaks. [PDF link for full Citizen Lab report]

In addition to discovering that phone ID info, along with geolocation data and search queries, was being sent without encryption, the researchers also found that clearing the app cache failed to remove DNS information — which could allow others to reconstruct internet activity. Citizen Lab has informed the makers of UC Browser of its many vulnerabilities, something the Five Eyes intelligence agencies obviously had no interest in doing.

But IRRITANT HORN went beyond simply delivering malicious implants to unsuspecting users. The Five Eyes agencies also explored the idea of using compromised communication lines to deliver disinformation and counter-propaganda.

[The agencies] were also keen to find ways to hijack them as a way of sending “selective misinformation to the targets’ handsets” as part of so-called “effects” operations that are used to spread propaganda or confuse adversaries. Moreover, the agencies wanted to gain access to companies’ app store servers so they could secretly use them for “harvesting” information about phone users.

As is the case with each new leak, the involved agencies have either declined to comment or have offered the standard defensive talking points about “legal framework” and “oversight,” but it’s hard to believe any legal mandate or oversight directly OK’ed plans to hijack private companies’ servers for the purpose of spreading malware and disinformation. And, as is the case with many other spy programs, IRRITANT HORN involves a lot of data unrelated to these agencies’ directives being captured and sifted through in order to find suitable targets for backdoors and implants.

Filed Under: , , , , ,
Companies: apple, google

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “New Leak Shows NSA's Plans To Hijack App Store Traffic To Implant Malware And Spyware”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re: Re:

Neither have I, but they are generally presented as “the good guys” by the current US government who do those tough jobs to allow those (us apparently) to live in a free country. The reality is anything but, as they do what they essentially want to without oversight or consent of the people. I wouldn’t call them the enemy, but that distinction between the good/bad is eroding the more their “selfless deeds” are brought to light.

Anonymous Coward says:

This attack would be pretty complex as you would need to compromise the TLS transport layer encryption as well as the private key that signed the APK. The former would be relatively easy, especially for a state actor but the latter would be difficult to do at scale since every developer has a unique key. Although for years Android’s “Master Key” vulnerability allowed circumvention of package checking.

I wonder which intelligence agencies knew about that.

Of course they could always go full monty and compromise system apps like Google Play services which have full control over all functions of a device.

Anonymous Coward says:

Re: Re:

As long as we trust any 3rd party business to provide for our security through Certification then this is not that complex, and neither difficult to compromise.

You already know that the government can and WILL compel any CA to give them a key that will allow them to decrypt communications.

James Burkhardt (profile) says:

Re: Re: Re:

A) have there been confirmations that the government has compromised a certificate Authority?
B) Would a chinese of russian certificate authority neccisarily kowtow to the US Government?
C) Without third party certification, How do we achieve security? Just taking the website’s word for it wouldn’t work…

Anonymous Coward says:

Re: Re: Re:

I don’t think even the CA can decrypt properly encrypted communications… but they can certainly facilitate a man in the middle attack so it’s not properly encrypted in the first place. And the government could be doing this right now, with a gag order so we never find out.

Anonymous Coward says:

Re: Re: Re: Re:

It is software, if you have a private key, you have a means to decrypt the data.

This is why your trust a CA to keep the two end entities from knowing the others private keys.

In Windows you can created something called a recovery certificate that will allow you to decrypt another’s encrypted file? The same concept could apply here. All we have left is to trust a CA whom is certain fold every which way a corrupt government will tell them too.

There is more than one way to skin this cat! Crypto will only ever be about trust…


If you say yes… then you should consider leaving this discussion.

Kal Zekdor (profile) says:

Re: Re: Re:2 Re:

I don’t think you know what a CA does…

The CA does not create or provide Certificates, they merely sign them so they are “trusted”.

This has little to do with the actual encryption between a TLS enabled client and server. There are at least three legs here (more if you have a web of trust instead of a single trust authority): the client, the server, and the CA. Each of these points have their own private/public key pairs. Data to the client is encrypted using the server’s private key, which the CA most certainly does not have.

If the CA were compromised by an attacker, they still couldn’t decrypt communication between client and server. However, if the attacker was able to intercept traffic as a MitM, what they could do would be impersonate the server using the compromised CA. That way they wouldn’t need to break the encryption, since the client is encrypting the traffic so that the MitM can decrypt it, thinking that they’re talking to the server.

Blaming third-parties for not disobeying government orders is a red herring, anyway. The government should not be allowed to issue such orders. Period.

Padpaw (profile) says:

Re: Re: Obligatory Godwin.

they aren’t death camps but there are FEMA camps where the homeless are being forced to go and live at.

Technically the people can leave if they ask to leave and are told they can.

I am sure with barbed wire topped walls and armed patrolling guards the camp administrators won’t have any problem letting people they have rounded up at gunpoint go where they want to.

Anonymous Coward says:

So how long is it before any company/corporation is refused to allow their products to be sold outside the US? How long do we have before the economy craters due to this global lack of trust? Unless things change, I foresee a massive migration outside the US just to be free of the NSLs.

I have a feeling this is going to come to head and it won’t be pretty.

GEMont (profile) says:

Good for the soul, but bad for the bank account.

I guess I’ll simply never understand the absolute inability of the American Public to admit that their Spy Agencies are simply collecting information for the pure purposes of blackmail, defamation and monetary profit and that these spies and their minions are about as concerned over the possibility of terrorist attacks on America, as they are over the possibility of indigestion after lunch in the company cafeteria.

What does it take to finally knock the stolen White Hats off the heads of these now-proven criminals and traitors?

Video confessions on Utube??

Anonymous Coward says:

Oh ffs, ive only just found this story

Why are’nt these people up on trial already /rhetorical question off

They’ve done these things in secret, some of them breaking the lawful rule of their nation to do it, they harras/prosecute/threaten whistle blowers that reveal the secrets that shouldnt be secret, we made a big enough impression to let them know “hang, i think some folks might have an issue with this”, and what have they done with the peacefull objection…….ignored, continuing, and generally a big fuck you to the public

Anyone who sees no wrong with what their doing, dont give a shit about others, or are willing to sacrifice other peoples privacy because of less of importance benefit to the sacrifice(in the grand scheme of things), something that technologically could most definatly be done in various ways, some ways that keep privacy and technological security intact but dont due to outside influence…..or are’nt technically inclined to realise just exactly what they can with just whats been reported

Ive ranted myself into “lost for words”, im left with my original thought…….FFS

Anonymous Coward says:


“The agencies] were also keen to find ways to hijack them as a way of sending “selective misinformation to the targets’ handsets” as part of so-called “effects” operations”

This is’nt a surveilance tool, this is a propaganda tool disguised as a surveillance tool

Ffs man

No accountability, kept secret, threats made to condition folks to keep it that way, and clearly, a very serious morality problem

Your job is to govern in as peacefull manner as possible, not instigate violence, control, or own people that is not yourself, what right do you have affecting the life beyond your own without that persons consent, in this case, persons explicit NON consent

Our governments with their respective agencies are not governments of freedom, their governments of control……..we as a species will never learn peace, when so many think a lasting peace can be forced

Understanding, empathy, and the caring that comes naturally after when one bothers to give understanding and empathy a shot……..once you care, you cant uncare

Goddamit, this kind of news makes me so frustrated

Im telling ya google/android, i liked your initial ideals, open source etc, but you’ve driven so far from the main road data stealing, play services(closed source) dependant app, auto system app updates with no control on the matter…….telling ya, when the next guy that comes along and understands the needs of privacy/security and has built their os from the ground up against these needs… telling ya

Parting thoughts

Warrents are a check against overbearing government
These surveillances are not targeted, everyones a target, they exploit and store everyones info so by the letter of the law, we are all criminals……….the governments we have, are’nt the governments our governments want us to believe………its not just about what their telling us its about what their NOT telling us

A war on internet – were everyone gets a say, not just the authorised

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...