The United States and its leading Western allies, known as the “Five Eyes,” planned to hack into smartphones through their links to Google and Samsung’s app stores, CBC News and The Intercept reported.
They wanted to infect apps with spyware and find ways to send misinformation to targets, according to documents released to the media by National Security Agency whistle-blower Edward Snowden.
The intelligence agencies also apparently began targeting the mobile browser UC Browser in late 2011, after discovering it leaked revealing details about its users.
UC Browser runs on Android, iOS, Windows Phone, BlackBerry, Java ME and Symbian.
Owned by Chinese e-commerce giant Alibaba, UC Browser is the world’s leading third-party mobile browser, accounting for nearly 13 percent of the market in March, according to Sitepoint.
It’s widely used in China and India, and is gaining ground strongly in emerging regions. It had 500 million users as of March 2014.
Facebook teamed up with UC Browser earlier this year to allow Facebook notifications in the app.
Gunning for Foreigners?
The app store project reportedly was motivated in part by concerns about the possibility of another Arab Spring.
The Five Eyes apparently agreed not to spy on each other’s citizens and focused their efforts instead on Africa, especially Senegal, Sudan and the Congo, where Muslim populations have been restive.
However, Samsung’s and Google’s mobile app servers were located in France, Switzerland, the Netherlands, Cuba, Morocco, the Bahamas and Russia.
The intelligence services reportedly found one country’s military unit using UC Browser for covert communications about its operations in Western countries.
“It should come as no comfort that these agencies haven’t yet used these techniques against their own people,” remarked Dave Bullas, director of pre-sales engineering at Stealthbits. “Any developer will tell you that the best way to build a tool that works is to get it working in one place before using it somewhere else.”
It’s not clear whether these attacks were a test run for a wider surveillance effort, Bullas told TechNewsWorld, “but evidence suggests that once the Five Eyes have a tool that works in one place, they’re not shy about using it elsewhere.”
What the Five Eyes Did
The agencies held a series of workshops in Australia and Canada in late 2011 and early 2012 on finding new ways to exploit smartphone technology for surveillance, The Intercept reported.
They used the NSA-developed Xkeyscore system to identify smartphone traffic on the Internet, then track down the smartphones’ connections to Samsung’s and Google’s app marketplace servers.
The agencies apparently set up a pilot project codenamed “Irritant Horn,” under which they developed a way to hack and hijack phone users’ connections to app stores, so they could send malicious implants to targeted devices. The implants would be used to collect data covertly from the smartphones.
The agencies reportedly also planned to harvest data about phone users from the app store servers.
The Need for Strategic Thinking
“Let’s step back from intent — just because the Five Eyes agreed not to spy on each other doesn’t mean they themselves can’t be hacked or their methods used by others, both domestic and foreign, who are not a part of this arrangement,” said Rob Enderle, principal at the Enderle Group.
“Once a methodology like this is established and validated,” he told TechNewsWorld, “the idea could … migrate worldwide.”
The Enemy May Be Us
Americans and citizens of the other Five Eyes countries may well be at risk of being targeted.
The CIA for years has been trying to hack iOS, and FBI director James Comey has been urging Congress to approve encryption backdoors, and fighting the plans of Apple, Google and others to implement strong encryption in their mobile OSes.
In exchange for making a few criminals vulnerable to investigation, law enforcement “is making everyone vulnerable to a variety of attacks, ranging from illegal stalking to identity theft, burglary and violence,” Enderle said.
“When law enforcement starts arguing they need to behave criminally to catch criminals,” he observed, “it’s generally a really bad thing.”
I’m not sure that Spy agencies can do that. Even now, most of the modern tracking apps that are being sold bypass Google and Apple app stores. That’s why the only ones who can compromise the security of Apple store and Google Play are Apple and Google themselves.