More CIA Android Hacking

 

WikiLeaks published another entry in their Vault 7 collection of CIA leaks. The new documents released by WikiLeaks detail a program called HighRise, which infects Android phones and devices, and intercepts and redirects SMS text messages to a remote server controlled by the CIA. The user manual for HighRise version 2.0 comes from the CIA’s Information Operations Center. According to a user manual for HighRise that is dated from December 16^th 2013, HighRise version 2.0 targets Android 4.0 to Android 4.3, but it is likely that newer versions can target newer versions of the Android operating system. The HighRise tool comes inside of a CIA app called TideCheck.

In order to deploy the HighRise tool, CIA agents must install it on the targeted victim’s device. After installing it, the agent must manually run HighRise once in order to gain persistence on the device. In order for an agent to activate it, a special password must be entered. The default password for activating HighRise is “inshallah”, an Arabic expression which means “God willing.” After the password has been entered the CIA agent is given three choices, to initialize the app, to edit the configuration file, and to send an SMS message from the victim’s phone. The CIA could use HighRise to frame people by sending incriminating SMS text messages from their phone. The encrypted communications channel is designed for allowing operatives in the field to communicate with their handlers or supervisors.

HighRise can be configured to send copies of all incoming SMS text messages to a remote server controlled by the CIA. HighRise can also provide a channel for the CIA agent to securely communicate with a CIA listening post. HighRise uses TLS/SSL to secure communications. Prior versions of HighRise were even sneakier due to a lack of certain security features in versions of the Android operating system below version 4.0. Unlike previous versions of HighRise, HighRise version 2.0 installs an icon in the list of installed apps. The icon to access HighRise features a blue and white “play” style button that gets installed under the name TideCheck.

In order for a CIA agent to use HighRise, the victim’s Android device must have both SMS text messaging service and data service with internet connectivity. According to the user manual for HighRise version 2.0, the victim’s device must have the date set correctly or almost correctly. “HighRise acts as a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post (LP) by proxying “incoming” and “outgoing” SMS messages to an internet LP,” WikiLeaks explained in their post. HighRise is configured by the CIA agent to check in with the listening post sometime between every 2 to 5 minutes. Once HighRise is activated it waits in the background and listens for incoming SMS text messages. HighRise automatically starts when the Android device is powered on. It doesn’t matter if HighRise is activated multiple times.

Previously, in March, WikiLeaks released documents which showed that the CIA uses at least 26 weaponized zero days to hack Google’s Android operating system. These zero day exploits were used to bypass the sophisticated encryption used by messaging programs such as Signal. Like the zero days reported in March, the new HighRise app can only be installed onto devices which the CIA has physical access to. Another recent CIA leak that WikiLeaks released as part of its Vault 7 series of leaks detailed the ELSA geo-location malware program, which relies on Google databases to help identify the location of a device. Other recent Vault 7 CIA leaks published by WikiLeaks include two SSH exploits, called BothanSpy and Gyrafalcon, which target SSH users who are running Windows or Linux operating systems. Earlier CIA leaks released by WikiLeaks show how the agency worked with private corporations to hack users of the Microsoft Windows operating systems. To keep track of new releases from WikiLeaks, check the DeepDotWeb archive on articles tagged with WikiLeaks.