The U.S. National Security Agency (NSA) and some of its peer agencies from closely allied countries targeted data links to Google’s mobile application stores as a way to plant spyware on people’s smartphones, CBC Canada reported this week.
A top-secret document obtained from former NSA contractor Edward Snowden shows that the NSA and its counterparts in Canada, the United Kingdom, New Zealand and Australia established a joint electronic eavesdropping unit called the Network Tradecraft Advancement Team to work on ways to plant spyware on targeted mobile devices, CBC said.
The team held workshops in Australia and Canada between November 2011 and Feb 2012 when they discussed ways to exploit smartphone technologies for surveillance purposes, said The Intercept, which helped CBC analyze the document.
One pilot project that was tested under the joint effort was dubbed “Irritant Horn.” It involved a method to intercept and hijack connections between a targeted user’s smartphone to Google’s mobile application store. The goal was to try and insert data-stealing malware on the smartphone if the user attempted to download an application from the app store, The Intercept said. Samsung’s application store was also similarly targeted, The Intercept and CBC reported.
Previous Snowden documents have already revealed that the NSA and its counterparts targeted leaky mobile applications to harvest a wide range of data on smartphone users from around the world. It is already known that the agencies grabbed emails as well as call records, browsing histories, videos and photos from targeted mobile devices using spyware. But until now, it has not been clear how exactly the agencies were able to collect the data, The Intercept said.
The Network Tradecraft Advancement Team used tools like the NSA’s previously disclosed XKeyscore spying tool to identify smartphone traffic and then track down connections to servers used by Google and Samsung to host their application stores and software update services.
The unit then attempted to use man-in-the-middle attacks to insert themselves into the data stream between a targeted user’s smartphone and the app store and inject spyware on the individual’s device. In addition to tampering with the data packets flowing between the app store and users’ devices, the spy agencies also attempted to send what they described as “selective misinformation” to targeted devices to confuse them and spread propaganda, the papers said.
As part of their effort to grab data from smartphones, the agencies also appear to have discovered and quietly exploited a vulnerability in the UC browser, a mobile browser that is popular in China and India but somewhat less so in North America.
The document obtained by The Intercept and CBC showed that the agencies discovered the browser was highly insecure and leaking all kinds of information on smartphone users. It was a fact that they apparently quietly used to their advantage without informing the browser maker of the broad privacy and security threat to the browser’s hundreds of millions of users worldwide, The Intercept and CBC said.
It is not immediately clear from either report whether the spy agencies were merely planning or actually succeeded in compromising data links to Google’s application stores and launching man-in-the-middle attacks against targeted adversaries. The focus of the data collection activities appears to have been smartphone users in Africa, particularly Senegal, the Congo and Sudan. But a Google application store server located in France was also targeted, and so, too, were application servers in the Netherlands, Switzerland, the Bahamas, Russia, Cuba and Morocco belonging to other mobile app vendors.
Google did not respond by press time to a request for comment.