Western spy agencies attempted to redirect user connections to smartphone app stores to plant malware and tamper with data traffic, according to new documents leaked by former United States National Security Agency (NSA) contractor Edward Snowden.
IRRITANT HORN is a joint operation between the NSA, the Australian Signals Directorate, the Government Communications Security Bureau (New Zealand), GCHQ in UK and Canada's Communications Security Establishment (CSE).
It aimed to create a man-in-the-middle (MITM) attack that would allow the Five Eyes spy agencies to implant malware on Android devices as they tried to connect to official app stores and update servers.
Furthermore, the agencies sought to plant misinformation to target handsets, and to exploit the app stores to profile these extensively for information gathering.
The spies targeted the UCWeb browser in particular, which a British Government Communications Headquarters (GCHQ) analyst had discovered leaked plenty of information about mobile devices, during a Signals Directorate workshop.
Device information leaked by UCWeb included data such as the international mobile subscriber identity and international mobile station equipment identity (IMSI and IMEI) identifiers. UCWeb would also reveal information about the devices themselves.
Analysts developed plugins for the XKEYSCORE search engine front end that would single out worldwide internet traffic patterns obtained from intercepts related to Samsung and Google update and app servers, as well as for UCWeb.
XKEYSCORE fingerprints to identify mobile carriers, Samsung and Google app stores have been deployed among the Five Eyes spy agencies, the documents say.
None of the signals intelligence agencies would provide comment to The Intercept on the matter, nor would Google and Samsung.