App stores from Google and Samsung reportedly became targets for government hijacking a few years ago, as the National Security Agency and its allies ramped up their data collection efforts.
As reported by CBC News and The Intercept, the plan involved hijacking the connections between smartphones and their app marketplace servers, and then planting malicious software on targeted devices. The NSA and friendly spying agencies could then secretly collect data, and possibly even send “selective misinformation to the targets” for propaganda or confusion purposes.
The reports stem from a new document provided by former NSA contractor Edward Snowden. It outlines a series of workshops held by the NSA and its counterparts in Canada, the United Kingdom, New Zealand, and Australia—collectively known as “Five Eyes.”
While investigating this possible hijacking method, the NSA and its allies also came across a major vulnerability in UC Browser, which is hugely popular in Asia. The program was reportedly leaking phone numbers, SIM card numbers, and other device details to its servers in China, making it a possible treasure trove for spying agencies.
The vulnerability persisted until last April, when human rights group Citizen Lab alerted the Alibaba Group, UC Browser’s parent company. An Alibaba source said it never heard a word about the leakage from spying agencies.
Why this matters: While it’s unclear what became of the app store hijacking plan, earlier reports have shown that U.K. spying agency GCHQ designed a suite of spyware aimed at iPhones and Android phones. The new documents could show how agents planned to load that spyware onto target’s phones.
The documents also speak to a larger issue of whether spy agencies should continue to exploit the software vulnerabilities they discover—thereby putting all users at risk—instead of reporting them. President Barack Obama has said he’s in favor of disclosing vulnerabilities, but with exceptions for national security and law enforcement needs. The Electronic Frontier Foundation has sued the NSA for more specifics on when it might keep security flaws secret.