New Leak Shows NSA's Plans To Hijack App Store Traffic To Implant Malware And Spyware

from the a-spy-in-the-house-of-apps dept

Proving there's nowhere spy agencies won't go to achieve their aims, a new Snowden leak published jointly by The Intercept and Canada's CBC News shows the NSA, GCHQ and other Five Eyes allies looking for ways to insert themselves between Google's app store and end users' phones.

The National Security Agency and its closest allies planned to hijack data links to Google and Samsung app stores to infect smartphones with spyware, a top-secret document reveals…

The main purpose of the workshops was to find new ways to exploit smartphone technology for surveillance. The agencies used the Internet spying system XKEYSCORE to identify smartphone traffic flowing across Internet cables and then to track down smartphone connections to app marketplace servers operated by Samsung and Google.

Branded "IRRITANT HORN" by the NSA's all-caps random-name-generator, the pilot program looked to perform man-in-the-middle attacks on app store downloads in order to attach malware/spyware payloads -- the same malicious implants detailed in an earlier Snowden leak.


While the document doesn't go into too much detail about the pilot program's successes, it does highlight several vulnerabilities it uncovered in UC Browser, a popular Android internet browser used across much of Asia. Citizen Lab performed an extensive examination of the browser for CBC News, finding a wealth of exploitable data leaks. [PDF link for full Citizen Lab report]

In addition to discovering that phone ID info, along with geolocation data and search queries, was being sent without encryption, the researchers also found that clearing the app cache failed to remove DNS information -- which could allow others to reconstruct internet activity. Citizen Lab has informed the makers of UC Browser of its many vulnerabilities, something the Five Eyes intelligence agencies obviously had no interest in doing.

But IRRITANT HORN went beyond simply delivering malicious implants to unsuspecting users. The Five Eyes agencies also explored the idea of using compromised communication lines to deliver disinformation and counter-propaganda.
[The agencies] were also keen to find ways to hijack them as a way of sending “selective misinformation to the targets’ handsets” as part of so-called “effects” operations that are used to spread propaganda or confuse adversaries. Moreover, the agencies wanted to gain access to companies’ app store servers so they could secretly use them for “harvesting” information about phone users.
As is the case with each new leak, the involved agencies have either declined to comment or have offered the standard defensive talking points about "legal framework" and "oversight," but it's hard to believe any legal mandate or oversight directly OK'ed plans to hijack private companies' servers for the purpose of spreading malware and disinformation. And, as is the case with many other spy programs, IRRITANT HORN involves a lot of data unrelated to these agencies' directives being captured and sifted through in order to find suitable targets for backdoors and implants.




Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 21 May 2015 @ 11:01am

    Sun Tzu

    Know thy self, know thy enemy.

    The closer I look, thy enemy = USA spy agencies.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 May 2015 @ 11:01am

    Doesn't this approach violate and contradict the Secretary of State's recent address? I'm at a loss for words except for my disgust and ever growing concern on who the "good guys" are anymore. Sad day

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 May 2015 @ 11:05am

      Re:

      It's also highly illegal.

      But hey, who cares when the terrorists run the anti-terror agencies?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 May 2015 @ 11:38am

      Re:

      I have never seen the NSA as the good guys. More of a necessary evil. But as they continue to attack what the constitution stands for, I see them as an unnecessary evil.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 May 2015 @ 12:41pm

        Re: Re:

        Neither have I, but they are generally presented as "the good guys" by the current US government who do those tough jobs to allow those (us apparently) to live in a free country. The reality is anything but, as they do what they essentially want to without oversight or consent of the people. I wouldn't call them the enemy, but that distinction between the good/bad is eroding the more their "selfless deeds" are brought to light.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 May 2015 @ 11:10am

    This attack would be pretty complex as you would need to compromise the TLS transport layer encryption as well as the private key that signed the APK. The former would be relatively easy, especially for a state actor but the latter would be difficult to do at scale since every developer has a unique key. Although for years Android's "Master Key" vulnerability allowed circumvention of package checking.

    https://nakedsecurity.sophos.com/2013/07/10/anatomy-of-a-security-hole-googles-android-master-key-de bacle-explained/

    I wonder which intelligence agencies knew about that.


    Of course they could always go full monty and compromise system apps like Google Play services which have full control over all functions of a device.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 May 2015 @ 11:22am

      Re:

      As long as we trust any 3rd party business to provide for our security through Certification then this is not that complex, and neither difficult to compromise.

      You already know that the government can and WILL compel any CA to give them a key that will allow them to decrypt communications.

      reply to this | link to this | view in chronology ]

      • icon
        James Burkhardt (profile), 21 May 2015 @ 11:48am

        Re: Re:

        A) have there been confirmations that the government has compromised a certificate Authority?
        B) Would a chinese of russian certificate authority neccisarily kowtow to the US Government?
        C) Without third party certification, How do we achieve security? Just taking the website's word for it wouldn't work...

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 21 May 2015 @ 12:47pm

          Re: Re: Re:

          They do not have to compromise them. They just NSL them for it and its kept a secret for example. That is hardly the last tool in their war chest. They also plant NSA operatives in organizations to get to data they want as well.

          reply to this | link to this | view in chronology ]

          • icon
            James Burkhardt (profile), 21 May 2015 @ 2:05pm

            Re: Re: Re: Re:

            Umm, a CA giving up the keys is a compromised CA. If the NSA NSLs a cert, then it is a compromised CA.

            Of course, I am not conviced the NSA can legally issue a NSL, but thats a minor point.

            You still haven't answered my question about what we should do instead of using a third party authority.

            reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 May 2015 @ 11:56am

        Re: Re:

        I don't think even the CA can decrypt properly encrypted communications... but they can certainly facilitate a man in the middle attack so it's not properly encrypted in the first place. And the government could be doing this right now, with a gag order so we never find out.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 21 May 2015 @ 12:56pm

          Re: Re: Re:

          It is software, if you have a private key, you have a means to decrypt the data.

          This is why your trust a CA to keep the two end entities from knowing the others private keys.

          In Windows you can created something called a recovery certificate that will allow you to decrypt another's encrypted file? The same concept could apply here. All we have left is to trust a CA whom is certain fold every which way a corrupt government will tell them too.

          There is more than one way to skin this cat! Crypto will only ever be about trust...

          DO YOU TRUST A FACELESS ENTITY TO GUARD YOUR SECRETS FROM ANY GOVERNMENT?

          If you say yes... then you should consider leaving this discussion.

          reply to this | link to this | view in chronology ]

          • icon
            Kal Zekdor (profile), 22 May 2015 @ 10:15am

            Re: Re: Re: Re:

            I don't think you know what a CA does...

            The CA does not create or provide Certificates, they merely sign them so they are "trusted".

            This has little to do with the actual encryption between a TLS enabled client and server. There are at least three legs here (more if you have a web of trust instead of a single trust authority): the client, the server, and the CA. Each of these points have their own private/public key pairs. Data to the client is encrypted using the server's private key, which the CA most certainly does not have.

            If the CA were compromised by an attacker, they still couldn't decrypt communication between client and server. However, if the attacker was able to intercept traffic as a MitM, what they could do would be impersonate the server using the compromised CA. That way they wouldn't need to break the encryption, since the client is encrypting the traffic so that the MitM can decrypt it, thinking that they're talking to the server.

            Blaming third-parties for not disobeying government orders is a red herring, anyway. The government should not be allowed to issue such orders. Period.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 13 Sep 2015 @ 9:44am

              Re: Re: Re: Re: Re:

              "Blaming third-parties for not disobeying government orders is a red herring, anyway. The government should not be allowed to issue such orders. Period."

              Amen to that statement

              reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 May 2015 @ 6:44am

      Re:

      You don't need to worry about encryption on phones, when you have the keys to everything.

      https://firstlook.org/theintercept/2015/02/19/great-sim-heist/

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 May 2015 @ 11:14am

    Obligatory Godwin.

    What the Nazis were doing was legal and had strict oversight under the Hitler regime too.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 May 2015 @ 11:20am

      Re: Obligatory Godwin.

      I do not think Godwin applies here.

      Not when people are actually doing things that hitler did. I mean... wtf America?

      Do we really have to wait til the very second till trains are hauling some ethic group around to a gas chamber before you fucking wake up?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 May 2015 @ 11:25am

        Re: Re: Obligatory Godwin.

        Why yes, I believe we do.

        reply to this | link to this | view in chronology ]

      • icon
        Padpaw (profile), 22 May 2015 @ 6:08am

        Re: Re: Obligatory Godwin.

        they aren't death camps but there are FEMA camps where the homeless are being forced to go and live at.

        Technically the people can leave if they ask to leave and are told they can.

        I am sure with barbed wire topped walls and armed patrolling guards the camp administrators won't have any problem letting people they have rounded up at gunpoint go where they want to.

        reply to this | link to this | view in chronology ]

  • icon
    Max (profile), 21 May 2015 @ 11:31am

    Thanks a lot NSA for making it utterly impossible for me to ever mock a tin foil hatter again...

    reply to this | link to this | view in chronology ]

  • identicon
    David, 21 May 2015 @ 11:34am

    It would appear that

    The NSA has declared an all-out cyber war on the U.S.A.

    Where are our defenses?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 May 2015 @ 11:59am

    Taking bets that Apple helped the NSA in their google-hijack attempts..any takers?

    reply to this | link to this | view in chronology ]

  • identicon
    Josh, 21 May 2015 @ 12:27pm

    why am I not surprised ?

    reply to this | link to this | view in chronology ]

    • identicon
      David, 21 May 2015 @ 1:35pm

      Re:

      Because Edward Snowden put his life on the line to make the U.S. aware that it is derailing.

      That's why you are not surprised.

      Getting back on track still won't be easy even when clued in.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 May 2015 @ 12:30pm

    So how long is it before any company/corporation is refused to allow their products to be sold outside the US? How long do we have before the economy craters due to this global lack of trust? Unless things change, I foresee a massive migration outside the US just to be free of the NSLs.

    I have a feeling this is going to come to head and it won't be pretty.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 May 2015 @ 5:49pm

    logjam?

    reply to this | link to this | view in chronology ]

  • icon
    Redback (profile), 22 May 2015 @ 11:05am

    Similar Article

    reply to this | link to this | view in chronology ]

  • icon
    GEMont (profile), 22 May 2015 @ 9:28pm

    Good for the soul, but bad for the bank account.

    I guess I'll simply never understand the absolute inability of the American Public to admit that their Spy Agencies are simply collecting information for the pure purposes of blackmail, defamation and monetary profit and that these spies and their minions are about as concerned over the possibility of terrorist attacks on America, as they are over the possibility of indigestion after lunch in the company cafeteria.

    What does it take to finally knock the stolen White Hats off the heads of these now-proven criminals and traitors?

    Video confessions on Utube??

    ---

    reply to this | link to this | view in chronology ]

  • icon
    depyou (profile), 26 May 2015 @ 12:32am

    who cares when the terrorists run the anti-terror agencies?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Sep 2015 @ 9:52am

      Re:

      Great, maybe they'll make the world a better place and drone themselves, and then hopefully use the drones on the drones as a parting gift

      reply to this | link to this | view in chronology ]

  • icon
    anani nadia (profile), 30 May 2015 @ 3:43am

    proud of your experience

    How can you sure about this?

    i m also a news writer in india. check my awesome Research Related Hanumangarh City. Visit my blog http://www.rj31force.com/

    reply to this | link to this | view in chronology ]

  • identicon
    AustinOS, 1 Jun 2015 @ 12:41pm

    Stop The Spying

    How messed up. Their programs just expired and yet they are already planned more malware practice on an extremely high traffic area. http://www.smithsontechnologies.com

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Sep 2015 @ 8:14am

    Oh ffs, ive only just found this story

    Why are'nt these people up on trial already /rhetorical question off

    They've done these things in secret, some of them breaking the lawful rule of their nation to do it, they harras/prosecute/threaten whistle blowers that reveal the secrets that shouldnt be secret, we made a big enough impression to let them know "hang, i think some folks might have an issue with this", and what have they done with the peacefull objection.......ignored, continuing, and generally a big fuck you to the public

    Anyone who sees no wrong with what their doing, dont give a shit about others, or are willing to sacrifice other peoples privacy because of less of importance benefit to the sacrifice(in the grand scheme of things), something that technologically could most definatly be done in various ways, some ways that keep privacy and technological security intact but dont due to outside influence.....or are'nt technically inclined to realise just exactly what they can with just whats been reported

    Ive ranted myself into "lost for words", im left with my original thought.......FFS

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Sep 2015 @ 8:57am

    Ffs

    "The agencies] were also keen to find ways to hijack them as a way of sending “selective misinformation to the targets’ handsets” as part of so-called “effects” operations"

    This is'nt a surveilance tool, this is a propaganda tool disguised as a surveillance tool

    Ffs man

    No accountability, kept secret, threats made to condition folks to keep it that way, and clearly, a very serious morality problem

    Your job is to govern in as peacefull manner as possible, not instigate violence, control, or own people that is not yourself, what right do you have affecting the life beyond your own without that persons consent, in this case, persons explicit NON consent

    Our governments with their respective agencies are not governments of freedom, their governments of control........we as a species will never learn peace, when so many think a lasting peace can be forced

    Understanding, empathy, and the caring that comes naturally after when one bothers to give understanding and empathy a shot........once you care, you cant uncare

    Goddamit, this kind of news makes me so frustrated

    Im telling ya google/android, i liked your initial ideals, open source etc, but you've driven so far from the main road data stealing, play services(closed source) dependant app, auto system app updates with no control on the matter.......telling ya, when the next guy that comes along and understands the needs of privacy/security and has built their os from the ground up against these needs.....im telling ya

    Parting thoughts

    Warrents are a check against overbearing government
    These surveillances are not targeted, everyones a target, they exploit and store everyones info so by the letter of the law, we are all criminals..........the governments we have, are'nt the governments our governments want us to believe.........its not just about what their telling us its about what their NOT telling us

    A war on internet - were everyone gets a say, not just the authorised

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Sep 2015 @ 9:02am

    IRRITANT HORN- whats that stand for, those that dont toe the party line huh?

    "Minority" but loud voices huh?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.