CIA Highrise Android Malware Spies on SMS Messages
Vault 7 was a WikiLeaks project launched in March 2017. WikiLeaks has evidence as documents outlining that CIA’s has been exploiting Microsoft and Apple technology for spying activities over mobile users. This 12 page document dated 16th December 2013 is available on the WikiLeaks website. In the latest news release on 13th July 2017, the document posted talks about a new malware referred to as HighRise. This has been used by CIA for spying on Android devices.
WikiLeaks describes HighRise on its website with the below details
HighRise is the Android application programmed for mobile devices running Android 4.0 to 4.3. It provides a redirection network for incoming and outgoing SMS messages on the device it is installed on. This redirection network is used by a number of IOC tools. IOC tools use SMS messaging as the primary communication method between the device that has been implanted with HighRise and the receiving end, referred to as “listening posts” or “LP”. HighRise behaves as the SMS proxy platform, which gives larger separation between the implanted devices in the field i.e. the “targets” and the receiving devices i.e. listening post (LP). This platform creates a proxy for “incoming” and “outgoing” SMS messages on the target and sends a copy of the messages to an internet LP. Highrise creates a conversation medium between the target and the Listening post using a TLS/SSL secured internet communication.
The news release as mentioned above hosts a 12-page document. This is a user guide by CIA for ‘Highrise’, created at CIA’s Information Operations Center. The newer versions of Android do not allow the application to launch automatically. The installed application at least has to be launched manually once by the user or requires a reboot of the device. Thus the HighRise 2.0 which is an updated port to Highrise 1.4, has to be manually run once after it is installed. The application will run automatically in the background after the device goes through a reboot. Because of the updated versions of the Android Operating system HighRise now appears as an installed application in the App Manager. It appears as TideCheck. The application uses “inshallah” as a password to install the application. This word is from the Arabic language, which when translated to English means “God Willing”. There is a lot of contemplation as to the password is in Arabic but no concrete explanation is available. Once this malware is installed into the victim’s phone it acts as a strong spying tool.