NSA planned to hijack Google Play Store, Samsung app store to deliver malware

The program also exposed a major browser vulnerability, which government agents reportedly exploited for years.

App stores from Google and Samsung reportedly became targets for government hijacking a few years ago, as the National Security Agency and its allies ramped up their data collection efforts.

As reported by CBC News and The Intercept, the plan involved hijacking the connections between smartphones and their app marketplace servers, and then planting malicious software on targeted devices. The NSA and friendly spying agencies could then secretly collect data, and possibly even send "selective misinformation to the targets" for propaganda or confusion purposes.

The reports stem from a new document provided by former NSA contractor Edward Snowden. It outlines a series of workshops held by the NSA and its counterparts in Canada, the United Kingdom, New Zealand, and Australia--collectively known as "Five Eyes."

While investigating this possible hijacking method, the NSA and its allies also came across a major vulnerability in UC Browser, which is hugely popular in Asia. The program was reportedly leaking phone numbers, SIM card numbers, and other device details to its servers in China, making it a possible treasure trove for spying agencies.

The vulnerability persisted until last April, when human rights group Citizen Lab alerted the Alibaba Group, UC Browser's parent company. An Alibaba source said it never heard a word about the leakage from spying agencies.

Why this matters: While it's unclear what became of the app store hijacking plan, earlier reports have shown that U.K. spying agency GCHQ designed a suite of spyware aimed at iPhones and Android phones. The new documents could show how agents planned to load that spyware onto target's phones.

The documents also speak to a larger issue of whether spy agencies should continue to exploit the software vulnerabilities they discover--thereby putting all users at risk--instead of reporting them. President Barack Obama has said he's in favor of disclosing vulnerabilities, but with exceptions for national security and law enforcement needs. The Electronic Frontier Foundation has sued the NSA for more specifics on when it might keep security flaws secret.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags governmentGooglensaNational Security Agency21King

More about CBCElectronic Frontier FoundationGCHQGoogleNational Security AgencyNewsNSASamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Jared Newman

Latest Videos

More videos

Blog Posts