Naked Security Naked Security

Vault 7: new WikiLeaks dump details Android SMS snooping malware

Latest dump of stolen CIA documents includes user manual for HighRise app, used to eavesdrop on text messages

Since launching its Vault 7 project in March, WikiLeaks has dumped documents outlining the CIA’s efforts to exploit Microsoft and Apple technology. In this week’s latest release, it focuses on malware called HighRise, which the agency used to target Android devices.

WikiLeaks describes HighRise this way on its website:

HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post (LP) by proxying “incoming” and “outgoing” SMS messages to an internet LP. Highrise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication.

HighRise has to be installed manually on a target’s phone, and it has to be set up manually, according to the 12-page HighRise user guide – dated December 16 2013. Once the apk is installed on the targeted device, an application named TideCheck appears in the list of apps on the device.

TideCheck houses HighRise, and the agent must open the app to start the process. It then runs a special code once the word “inshallah” (“God willing” in Arabic) is entered into a text box disguised to look like it’s asking for an activation code for the app. Once the code is entered, the agent taps into the app’s settings.

After initial installation, HighRise runs in the background and automatically activates whenever the phone is turned on. The app continuously intercepts texts.

It’s a powerful spying tool but it has limits. For one thing, it must be installed onto a device manually and not remotely. The agent must have physical contact with the victim’s device to infect it.

It’s unclear if the CIA still uses HighRise.

On the heels of Cherry Blossom

This latest leak comes nearly a month after WikiLeaks’ last dump, from a project dubbed “Cherry Blossom” (WikiLeaks variously writes both Cherry Blossom and CherryBlossom, but the leaked documents routinely refer to Cherry Blossom, or CB for short, if you’re a stickler for precision).

In the words of its own Quick Start Guide, the CB project focused on internet surveillance:

The Cherry Blossom (CB) system provides a means of monitoring the internet activity of and performing software exploits on targets of interest. In particular, CB is focused on compromising wireless networking devices, such as wireless (802.11) routers and access points (APs), to achieve these goals.

Is there a silver lining in these leaks?

Such leaks raise concerns that other attackers will use the tools for their own campaigns. We’ve already seen that happen with the recent WannaCry and Petya outbreaks, which made use of NSA tools dumped by the Shadow Brokers hacking group. When the Vault 7 dumps began, we asked security experts if there were any silver linings for the good guys.

Eric Cowperthwaite, former VP of strategy for Core Security and now director of managed risk services for Edgile, said at the time that he was conflicted on that question.

He brought up the case of Chelsea Manning, a United States Army soldier convicted by court-martial in 2013 for violating the Espionage Act and other offenses, after giving WikiLeaks thousands of  classified and/or sensitive military and diplomatic documents:

There is good and bad in this. We know that some of the Manning leaks had impacts on military operations. That was part of Manning’s trial. I also found it interesting that Wikileaks alleges that the US intelligence community has a problem keeping its cyberwar tools off the black market. And if the CIA, NSA, etc. can’t keep these things under control, that is something that citizens should know.

It’s worth noting that this is an exploit for older, outdated versions of Android, and there’s no way of knowing if there’s a more current version that works with updated iterations of the mobile operating system. At Naked Security, we’ll be keeping our ear to the ground.