As the NSA fights to retain its spying power with the Patriot Act now under review, more documents from whistleblower Edward Snowden have begun to surface. This newest leaks suggest the spy agency had plans to hack the Google Play store and inject malware into users’ seemingly-legitimate downloads. While it appears the plan was never put into practice, even the thought is worrisome, since most users have no qualms about trusting “secure” app stores like Google Play or iTunes — making it the perfect target for the NSA.
According to The Verge, documents released by Edward Snowden and published by The Intercept spell out a plan called “IRRITANT HORN” which would inject malware after intercepting Web traffic moving to and from mobile application servers. The documents clearly showed device-maker Samsung’s update protocol and Google Play servers located in France and used to deliver updates to phones in northern Africa. In other words, this wasn’t a plan confined to the United States — the NSA also had a vested interest in hacking the devices of users worldwide.
The Intercept reports that the project came from a joint effort by the Network Tradecraft Advancement Team, which has members from each nation of the Five Eyes alliance: Canada, the United States, the United Kingdom, New Zealand and Australia. According to the Snowden documents, this group held secret meetings in Australia and Canada between November 2011 and February 2012 to develop new ways they could exploit smartphones as surveillance devices.
Using an Internet spying system known as XKEYSCORE, the group zeroed in on traffic flowing to and from the app marketplaces operated by Google and Samsung. The idea was to intercept traffic sent between users and legitimate apps stores, and, using a man-in-the-middle attack, compromise the device to add NSA-crafted malware which could grab a user’s contact list or provide their location in near real-time. Although Samsung and Google use TLS encryption which should theoretically defend against these kind of attacks, there has long been speculation that the NSA has found a way around this kind of encryption.
The ultimate goal here? Snowden’s documents say IRRITANT HORN was part of a campaign to deliver “selective misinformation” to specific phones and was crafted in large measure as a response to the Arab Spring. The NSA and other international spy agencies wanted to make sure if any more social media-empowered unrest occurred, they were prepared to mitigate the effects through compromised devices.
Safe and sound?
While there’s no evidence that the NSA was successful — both Google and Samsung are staying mute — there’s a pertinent lesson here: app stores are not safe havens, even those operated by dominant companies like Google or Samsung. This shouldn’t come as a surprise, since it’s already possible to sneak malicious apps into these “secure” stores and “dead” apps that are no longer updated are often still available for download with no warning about their potentially compromised security.
What’s more, the level of trust users have for these app stores makes them the perfect vehicle for a spy agency attack. Beyond just the Five Eyes, government agencies across the globe have a vested interest when it comes what users are doing with their smartphones when political change or unrest occurs. In other words, while governments often pay lip service to the notion of consumer privacy, they’re not above denying any wrongdoing as federally-funded spy agencies work to uncover personal data for political use.
In the US, at least, NSA powers are under the microscope. While the Senate failed to pass the USA Freedom Act, a Second Circuit Court of Appeals ruled that Section 215 of the Patriot Act — which supposedly covered bulk telecom records collection — doesn’t actually hold water, leaving the program on hold. And with revelations like the Google Play hack continuing to trickle out of the Snowden files, it may be tough for the agency to get any traction.
But here’s the thing: when it comes to spy agencies, laws only matter if they get caught. Net-savvy citizens are better off assuming that no service is safe, no store is secure, and no device is invincible.