New Leak Shows NSA's Plans To Hijack App Store Traffic To Implant Malware And Spyware

from the a-spy-in-the-house-of-apps dept

Thu, May 21st 2015 10:42am — Tim Cushing

Proving there's nowhere spy agencies won't go to achieve their aims, a new Snowden leak published jointly by The Intercept and Canada's CBC News shows the NSA, GCHQ and other Five Eyes allies looking for ways to insert themselves between Google's app store and end users' phones.

The National Security Agency and its closest allies planned to hijack data links to Google and Samsung app stores to infect smartphones with spyware, a top-secret document reveals…

The main purpose of the workshops was to find new ways to exploit smartphone technology for surveillance. The agencies used the Internet spying system XKEYSCORE to identify smartphone traffic flowing across Internet cables and then to track down smartphone connections to app marketplace servers operated by Samsung and Google.

Branded "IRRITANT HORN" by the NSA's all-caps random-name-generator, the pilot program looked to perform man-in-the-middle attacks on app store downloads in order to attach malware/spyware payloads -- the same malicious implants detailed in an earlier Snowden leak.

While the document doesn't go into too much detail about the pilot program's successes, it does highlight several vulnerabilities it uncovered in UC Browser, a popular Android internet browser used across much of Asia. Citizen Lab performed an extensive examination of the browser for CBC News, finding a wealth of exploitable data leaks. [PDF link for full Citizen Lab report]

In addition to discovering that phone ID info, along with geolocation data and search queries, was being sent without encryption, the researchers also found that clearing the app cache failed to remove DNS information -- which could allow others to reconstruct internet activity. Citizen Lab has informed the makers of UC Browser of its many vulnerabilities, something the Five Eyes intelligence agencies obviously had no interest in doing.

But IRRITANT HORN went beyond simply delivering malicious implants to unsuspecting users. The Five Eyes agencies also explored the idea of using compromised communication lines to deliver disinformation and counter-propaganda.

[The agencies] were also keen to find ways to hijack them as a way of sending “selective misinformation to the targets’ handsets” as part of so-called “effects” operations that are used to spread propaganda or confuse adversaries. Moreover, the agencies wanted to gain access to companies’ app store servers so they could secretly use them for “harvesting” information about phone users.

As is the case with each new leak, the involved agencies have either declined to comment or have offered the standard defensive talking points about "legal framework" and "oversight," but it's hard to believe any legal mandate or oversight directly OK'ed plans to hijack private companies' servers for the purpose of spreading malware and disinformation. And, as is the case with many other spy programs, IRRITANT HORN involves a lot of data unrelated to these agencies' directives being captured and sifted through in order to find suitable targets for backdoors and implants.

Uc Web Report Final for Dc (PDF)Uc Web Report Final for Dc (Text)

UCBrowser ReportPDF (PDF)UCBrowser ReportPDF (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: app stores, google play, irritant horn, man in the middle, nsa, surveillance
Companies: apple, google

39 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 21 May 2015 @ 11:01am

Sun Tzu
Know thy self, know thy enemy.

The closer I look, thy enemy = USA spy agencies.
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 11:01am

Doesn't this approach violate and contradict the Secretary of State's recent address? I'm at a loss for words except for my disgust and ever growing concern on who the "good guys" are anymore. Sad day
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 11:05am

Re:
It's also highly illegal.

But hey, who cares when the terrorists run the anti-terror agencies?
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 11:10am

This attack would be pretty complex as you would need to compromise the TLS transport layer encryption as well as the private key that signed the APK. The former would be relatively easy, especially for a state actor but the latter would be difficult to do at scale since every developer has a unique key. Although for years Android's "Master Key" vulnerability allowed circumvention of package checking.

https://nakedsecurity.sophos.com/2013/07/10/anatomy-of-a-security-hole-googles-android-master-key-de bacle-explained/

I wonder which intelligence agencies knew about that.

Of course they could always go full monty and compromise system apps like Google Play services which have full control over all functions of a device.
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 11:14am

Obligatory Godwin.
What the Nazis were doing was legal and had strict oversight under the Hitler regime too.
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 11:20am

Re: Obligatory Godwin.
I do not think Godwin applies here.

Not when people are actually doing things that hitler did. I mean... wtf America?

Do we really have to wait til the very second till trains are hauling some ethic group around to a gas chamber before you fucking wake up?
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 11:22am

Re:
As long as we trust any 3rd party business to provide for our security through Certification then this is not that complex, and neither difficult to compromise.

You already know that the government can and WILL compel any CA to give them a key that will allow them to decrypt communications.
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 11:25am

Re: Re: Obligatory Godwin.
Why yes, I believe we do.
[ link to this | view in thread ]
Max (profile), 21 May 2015 @ 11:31am

Thanks a lot NSA for making it utterly impossible for me to ever mock a tin foil hatter again...
[ link to this | view in thread ]
David, 21 May 2015 @ 11:34am

It would appear that
The NSA has declared an all-out cyber war on the U.S.A.

Where are our defenses?
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 11:38am

Re:
I have never seen the NSA as the good guys. More of a necessary evil. But as they continue to attack what the constitution stands for, I see them as an unnecessary evil.
[ link to this | view in thread ]
James Burkhardt (profile), 21 May 2015 @ 11:48am

Re: Re:
A) have there been confirmations that the government has compromised a certificate Authority?
B) Would a chinese of russian certificate authority neccisarily kowtow to the US Government?
C) Without third party certification, How do we achieve security? Just taking the website's word for it wouldn't work...
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 11:56am

Re: Re:
I don't think even the CA can decrypt properly encrypted communications... but they can certainly facilitate a man in the middle attack so it's not properly encrypted in the first place. And the government could be doing this right now, with a gag order so we never find out.
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 11:59am

Taking bets that Apple helped the NSA in their google-hijack attempts..any takers?
[ link to this | view in thread ]
Ninja (profile), 21 May 2015 @ 12:21pm

Re: It would appear that
What defenses? You are the enemy.
[ link to this | view in thread ]
Josh, 21 May 2015 @ 12:27pm

why am I not surprised ?
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 12:30pm

So how long is it before any company/corporation is refused to allow their products to be sold outside the US? How long do we have before the economy craters due to this global lack of trust? Unless things change, I foresee a massive migration outside the US just to be free of the NSLs.

I have a feeling this is going to come to head and it won't be pretty.
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 12:41pm

Re: Re:
Neither have I, but they are generally presented as "the good guys" by the current US government who do those tough jobs to allow those (us apparently) to live in a free country. The reality is anything but, as they do what they essentially want to without oversight or consent of the people. I wouldn't call them the enemy, but that distinction between the good/bad is eroding the more their "selfless deeds" are brought to light.
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 12:47pm

Re: Re: Re:
They do not have to compromise them. They just NSL them for it and its kept a secret for example. That is hardly the last tool in their war chest. They also plant NSA operatives in organizations to get to data they want as well.
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 12:56pm

Re: Re: Re:
It is software, if you have a private key, you have a means to decrypt the data.

This is why your trust a CA to keep the two end entities from knowing the others private keys.

In Windows you can created something called a recovery certificate that will allow you to decrypt another's encrypted file? The same concept could apply here. All we have left is to trust a CA whom is certain fold every which way a corrupt government will tell them too.

There is more than one way to skin this cat! Crypto will only ever be about trust...

DO YOU TRUST A FACELESS ENTITY TO GUARD YOUR SECRETS FROM ANY GOVERNMENT?

If you say yes... then you should consider leaving this discussion.
[ link to this | view in thread ]
David, 21 May 2015 @ 1:35pm

Re:
Because Edward Snowden put his life on the line to make the U.S. aware that it is derailing.

That's why you are not surprised.

Getting back on track still won't be easy even when clued in.
[ link to this | view in thread ]
James Burkhardt (profile), 21 May 2015 @ 2:05pm

Re: Re: Re: Re:
Umm, a CA giving up the keys is a compromised CA. If the NSA NSLs a cert, then it is a compromised CA.

Of course, I am not conviced the NSA can legally issue a NSL, but thats a minor point.

You still haven't answered my question about what we should do instead of using a third party authority.
[ link to this | view in thread ]
Anonymous Coward, 21 May 2015 @ 5:49pm

logjam?
[ link to this | view in thread ]
Padpaw (profile), 22 May 2015 @ 6:08am

Re: Re: Obligatory Godwin.
they aren't death camps but there are FEMA camps where the homeless are being forced to go and live at.

Technically the people can leave if they ask to leave and are told they can.

I am sure with barbed wire topped walls and armed patrolling guards the camp administrators won't have any problem letting people they have rounded up at gunpoint go where they want to.
[ link to this | view in thread ]
Padpaw (profile), 22 May 2015 @ 6:10am

Re:
better emigrate before they close the borders. You know what they say "history repeats itself, so learn from it"
[ link to this | view in thread ]
Anonymous Coward, 22 May 2015 @ 6:44am

Re:
You don't need to worry about encryption on phones, when you have the keys to everything.

https://firstlook.org/theintercept/2015/02/19/great-sim-heist/
[ link to this | view in thread ]
Kal Zekdor (profile), 22 May 2015 @ 10:15am

Re: Re: Re: Re:
I don't think you know what a CA does...

The CA does not create or provide Certificates, they merely sign them so they are "trusted".

This has little to do with the actual encryption between a TLS enabled client and server. There are at least three legs here (more if you have a web of trust instead of a single trust authority): the client, the server, and the CA. Each of these points have their own private/public key pairs. Data to the client is encrypted using the server's private key, which the CA most certainly does not have.

If the CA were compromised by an attacker, they still couldn't decrypt communication between client and server. However, if the attacker was able to intercept traffic as a MitM, what they could do would be impersonate the server using the compromised CA. That way they wouldn't need to break the encryption, since the client is encrypting the traffic so that the MitM can decrypt it, thinking that they're talking to the server.

Blaming third-parties for not disobeying government orders is a red herring, anyway. The government should not be allowed to issue such orders. Period.
[ link to this | view in thread ]
Redback (profile), 22 May 2015 @ 11:05am

Similar Article
I think this article http://www.theage.com.au/technology/technology-news/australia-a-leader-in-hacking-mobile-phones-snow den-document-reveals-20150521-gh761s.html is related to this NSA's Plans To Hijack App Store Traffic
[ link to this | view in thread ]
GEMont (profile), 22 May 2015 @ 9:28pm

Good for the soul, but bad for the bank account.
I guess I'll simply never understand the absolute inability of the American Public to admit that their Spy Agencies are simply collecting information for the pure purposes of blackmail, defamation and monetary profit and that these spies and their minions are about as concerned over the possibility of terrorist attacks on America, as they are over the possibility of indigestion after lunch in the company cafeteria.

What does it take to finally knock the stolen White Hats off the heads of these now-proven criminals and traitors?

Video confessions on Utube??

---
[ link to this | view in thread ]
depyou (profile), 26 May 2015 @ 12:32am

who cares when the terrorists run the anti-terror agencies?
[ link to this | view in thread ]
anani nadia (profile), 30 May 2015 @ 3:43am

proud of your experience
How can you sure about this?

i m also a news writer in india. check my awesome Research Related Hanumangarh City. Visit my blog http://www.rj31force.com/
[ link to this | view in thread ]
AustinOS, 1 Jun 2015 @ 12:41pm

Stop The Spying
How messed up. Their programs just expired and yet they are already planned more malware practice on an extremely high traffic area. http://www.smithsontechnologies.com
[ link to this | view in thread ]
Anonymous Coward, 13 Sep 2015 @ 8:14am

Oh ffs, ive only just found this story

Why are'nt these people up on trial already /rhetorical question off

They've done these things in secret, some of them breaking the lawful rule of their nation to do it, they harras/prosecute/threaten whistle blowers that reveal the secrets that shouldnt be secret, we made a big enough impression to let them know "hang, i think some folks might have an issue with this", and what have they done with the peacefull objection.......ignored, continuing, and generally a big fuck you to the public

Anyone who sees no wrong with what their doing, dont give a shit about others, or are willing to sacrifice other peoples privacy because of less of importance benefit to the sacrifice(in the grand scheme of things), something that technologically could most definatly be done in various ways, some ways that keep privacy and technological security intact but dont due to outside influence.....or are'nt technically inclined to realise just exactly what they can with just whats been reported

Ive ranted myself into "lost for words", im left with my original thought.......FFS
[ link to this | view in thread ]
Anonymous Coward, 13 Sep 2015 @ 8:57am

Ffs

"The agencies] were also keen to find ways to hijack them as a way of sending “selective misinformation to the targets’ handsets” as part of so-called “effects” operations"

This is'nt a surveilance tool, this is a propaganda tool disguised as a surveillance tool

Ffs man

No accountability, kept secret, threats made to condition folks to keep it that way, and clearly, a very serious morality problem

Your job is to govern in as peacefull manner as possible, not instigate violence, control, or own people that is not yourself, what right do you have affecting the life beyond your own without that persons consent, in this case, persons explicit NON consent

Our governments with their respective agencies are not governments of freedom, their governments of control........we as a species will never learn peace, when so many think a lasting peace can be forced

Understanding, empathy, and the caring that comes naturally after when one bothers to give understanding and empathy a shot........once you care, you cant uncare

Goddamit, this kind of news makes me so frustrated

Im telling ya google/android, i liked your initial ideals, open source etc, but you've driven so far from the main road data stealing, play services(closed source) dependant app, auto system app updates with no control on the matter.......telling ya, when the next guy that comes along and understands the needs of privacy/security and has built their os from the ground up against these needs.....im telling ya

Parting thoughts

Warrents are a check against overbearing government
These surveillances are not targeted, everyones a target, they exploit and store everyones info so by the letter of the law, we are all criminals..........the governments we have, are'nt the governments our governments want us to believe.........its not just about what their telling us its about what their NOT telling us

A war on internet - were everyone gets a say, not just the authorised
[ link to this | view in thread ]
Anonymous Coward, 13 Sep 2015 @ 9:02am

IRRITANT HORN- whats that stand for, those that dont toe the party line huh?

"Minority" but loud voices huh?
[ link to this | view in thread ]
Anonymous Coward, 13 Sep 2015 @ 9:14am

Re: Sun Tzu
I think you need to go higher
[ link to this | view in thread ]
Anonymous Coward, 13 Sep 2015 @ 9:35am

Re: Re:
Lawfull, ....legal is lawyer speak vs the law of the land, a distinction they have no problems forgetting
[ link to this | view in thread ]
Anonymous Coward, 13 Sep 2015 @ 9:44am

Re: Re: Re: Re: Re:
"Blaming third-parties for not disobeying government orders is a red herring, anyway. The government should not be allowed to issue such orders. Period."

Amen to that statement
[ link to this | view in thread ]
Anonymous Coward, 13 Sep 2015 @ 9:52am

Re:
Great, maybe they'll make the world a better place and drone themselves, and then hopefully use the drones on the drones as a parting gift
[ link to this | view in thread ]