The National Security Agency and its closest allies planned to hijack
data links to Google and Samsung app stores to infect smartphones with
spyware, a top-secret document reveals.
The surveillance project was launched by a joint electronic
eavesdropping unit called the Network Tradecraft Advancement Team, which
includes spies from each of the countries in the “Five Eyes” alliance —
the United States, Canada, the United Kingdom, New Zealand and
The top-secret document, obtained from NSA whistleblower Edward Snowden, was published Wednesday by CBC News
in collaboration withThe Intercept
. The document
a series of tactics that the NSA and its counterparts in the Five Eyes
were working on during workshops held in Australia and Canada between
November 2011 and February 2012.
The main purpose of the workshops was to find new ways to exploit smartphone technology for surveillance. The agencies used the Internet spying system XKEYSCORE
identify smartphone traffic flowing across Internet cables and then to
track down smartphone connections to app marketplace servers operated by
Samsung and Google. (Google declined to comment for this story. Samsung
said it would not be commenting “at this time.”
As part of a pilot project codenamed IRRITANT HORN, the agencies were
developing a method to hack and hijack phone users’ connections to app
stores so that they would be able to send malicious “implants” to
targeted devices. The implants could then be used to collect data from
the phones without their users noticing.
the Snowden files have shown agencies in the Five Eyes alliance
designed spyware for iPhones and Android smartphones, enabling them to
infect targeted phones and grab emails, texts, web history, call
records, videos, photos and other files stored on them. But methods used
by the agencies to get the spyware onto phones in the first place have
The newly published document shows how the agencies wanted to “exploit” app store servers —
using them to launch so-called “man-in-the-middle
attacks to infect phones with the implants. A man-in-the-middle attack
is a technique in which hackers place themselves between computers as
they are communicating with each other; it is a tactic sometimes used by criminal hackers
defraud people. In this instance, the method would have allowed the
surveillance agencies to modify the content of data packets passing
between targeted smartphones and the app servers while an app was being
downloaded or updated, inserting spyware that would be covertly sent to
But the agencies wanted to do more than just use app stores as a
launching pad to infect phones with spyware. They were also keen to find
ways to hijack them as a way of sending “selective misinformation to
the targets’ handsets” as part of so-called “effects” operations that
are used to spread propaganda or confuse adversaries. Moreover, the
agencies wanted to gain access to companies’ app store servers so they
could secretly use them for “harvesting” information about phone users.
The project was motivated in part by concerns about the possibility of
“another Arab Spring,” which was sparked in Tunisia in December 2010 and
later spread to countries across the Middle East and North Africa.
Western governments and intelligence agencies were largely blindsided by
those events, and the document detailing IRRITANT HORN suggests the
spies wanted to be prepared to launch surveillance operations in the
event of more unrest.
The agencies were particularly interested in the African region,
focusing on Senegal, Sudan and the Congo. But the app stores targeted
were located in a range of countries, including a Google app store
server located in France and other companies’ app download servers in
Cuba, Morocco, Switzerland, Bahamas, the Netherlands and Russia. (At the
time, the Google app store was called the “Android Market”; it is now
named Google Play
Another major outcome of the secret workshops was the agencies’
discovery of privacy vulnerabilities in UC Browser, a popular app used
to browse the Internet across Asia, particularly in China and India.
Though UC Browser is not well-known in Western countries, its massive
Asian user base, a reported half billion people
, means it is one of the most popular mobile Internet browsers in the world.
According to the top-secret document
the agencies discovered that the UC Browser app was leaking a gold mine
of identifying information about its users’ phones. Some of the leaking
information apparently helped the agencies uncover a communication
channel linked to a foreign military unit believed to be plotting
“covert activities” in Western countries. The discovery was celebrated
by the spies as an “opportunity where potentially none may have existed
a human rights and technology research group based at the University of
Toronto, analyzed the Android version of the UC Browser app for CBC
News and said it identified “major security and privacy issues” in its
English and Chinese editions. The Citizen Lab researchers have authored
their own detailed technical report
the many ways the app has been leaking data, including some users’
search queries, SIM card numbers and unique device IDs that can be used
to track people.
Citizen Lab alerted UC Browser to the security gaps in mid-April; the
company says it has now fixed them by rolling out an update for the app.
A spokesperson for UC Browser’s parent company, Chinese e-commerce
giantthe Alibaba Group
told CBC News in a statement that it took security “very seriously and
we do everything possible to protect our users.” The spokesperson added
that the company had found “no evidence that any user information has
been taken” — though it is not likely that surveillance of the leaking
data would have been detectable.
The case strikes at the heart of a debate about whether spy agencies are
putting ordinary people at risk by secretly exploiting security flaws
in popular software instead of reporting them so that they can be fixed.
According to Citizen Lab Director Ron Deibert, the UC Browser
vulnerability not only exposed millions of the app’s users to
surveillance carried out by any number of governments — but it could
also have been exploited by criminal hackers to harvest personal data.
“Of course, the security agencies don’t [disclose the information],”
Deibert said. “Instead, they harbor the vulnerability. They essentially
weaponize it.” Taking advantage of weaknesses in apps like UC Browser
“may make sense from a very narrow national security mindset,” Deibert
added, “but it’s at the expense of the privacy and security of hundreds
of millions of users worldwide.”
The revelations are the latest to highlight tactics adopted by the Five
Eyes agencies in their efforts to hack computers and exploit software
vulnerabilities for surveillance. Last year, The Intercept reported
the NSA has worked with its partners to dramatically increase the scope
of its hacking attacks and use of “implants” to infect computers. In
some cases, the agency was shown to have masqueraded as a Facebook server
in order to hack into computers.
The Intercept and CBC News
contacted each of the Five Eyes agencies for comment on this story, but
none would answer questions on record about any of the specific details.
A spokesperson for Canada’s Communications Security Establishment said
that the agency was “mandated to collect foreign signals intelligence to
protect Canada and Canadians from a variety of threats to our national
security, including terrorism,” adding that it “does not direct its
foreign signals intelligence activities at Canadians or anywhere in
British agency Government Communications Headquarters said that its work
was “carried out in accordance with a strict legal and policy
framework, which ensures that our activities are authorised, necessary
Australia’s Signals Directorate said it was “long-standing practice” not
to discuss intelligence matters and would not comment further.
New Zealand’s Government Communications Security Bureau said that it has
“a foreign intelligence mandate” and that everything it does is
“explicitly authorised and subject to independent oversight.”
The NSA had not responded to repeated requests for comment at time of publication.