In the latest update on NSA documents leaked by Edward Snowden, The Intercept is reporting on the surveillance establishment's efforts to use the Google Play Store to distribute spyware. Another fun fact from the data dump is that these agencies found and exploited a security hole in the ultra-popular UC Browser for years until an activist group informed its developers about it just about a month ago.

The information comes from a set of slides distributed to agency specialists in 2012 discussing plans for the use of mobile devices in surveillance. These initiatives were a cooperative between the so-called "Five Eyes" countries: USA, UK, Canada, Australia, and New Zealand. They agree to try not to spy on each other's citizens in exchange for teaming together to spy basically everywhere else. Targets discussed in this leak were largely (but not solely) in Africa, where officials worried about future "Arab Spring" types of events that had previously caught them off guard.


Above: a slide from the document dump

One major plan was to hack into Google's servers, primarily overseas, to perform man in the middle attacks on unsuspecting users. And while this would be a commonly used method to collect data, the documents reveal an even more ambitious plan. Targets would unknowingly be sent spyware as well as false information via trusted apps. In addition to schemes for the Play Store (then referenced as Android Market), they seemed further along in gaining access to Samsung servers to perform similar operations through their app store.

It is unclear from the report and the slides exactly how far these plans advanced. The spy agencies were known to have used "leaky" apps and man in the middle attacks on smartphones before, but the exact methodology was not always clear. This could be one way it was accomplished.

Another interesting piece of information from the report is that the agencies enjoyed a massive security hole on UC Browser, which is developed by a company under the Alibaba umbrella, an enormous Chinese company. The browser is most popular in that and surrounding markets. The presentation boasted that they were able to harvest IMSI, MSISDN, IMEI, and other identifying information from users. Each of those numbers would prove immensely useful for the purpose of associating web activity with a specific person and device.


Above: another slide from the document dump

The activist group that first alerted the developers to the vulnerability also found that the browser was leaking search queries. In a statement, UC Browser says they were unaware of the problem and have issued a fix. A source told CBC that the security agencies never notified the developers of the issue, despite the fact it made users in Five Eyes countries open to attack by other governments and criminals.

Featured image by the EFF (CC-BY-3.0)