WikiLeaks Exposes CIA’s HighRise SMS Spying Tool In Latest Vault 7 Dump
WikiLeaks has published another set of leaked documents from the United States Central Intelligence Agency (CIA). This latest leak is part of WikiLeaks' Vault 7 batch and details a malicious app for Android devices called HighRise. Also called TideCheck, this app allows a remote hacker to redirect or intercept SMS text messages that are sent to a target's cellular phone, and have those communications forwarded to a remote web server.
This appears to be an old tool that was used by the CIA, or at least the version described in the leaked documents is an older piece of malware. The accompanying manual is dated December 16, 2013, and describes a tool that was designed to work on mobile handsets running Android 4.0 (Ice Cream Sandwich) to 4.3 (Jelly Bean). There have been four other major Android releases since then, including KitKat, Lollipop, Marshmallow, Nougat. Google is also close to releasing yet another Android build, Android O.
Based on the manual's description, HighRise acts as a proxy server for text messages on compatible Android devices. It then takes those messages and flings them to Internet "listening posts" where an agent can intercept and read them. The app is also password protected to prevent unauthorized users from making any unwanted to changes to its settings or behavior.
One thing that is interesting about this particular malware is that it cannot be installed remotely, unlike some of the other tools the CIA is known to have used. HighRise must be installed physically and then manually run once before it will automatically run in the background or after a reboot. As a consequence of this, HighRise also shows up in the list of installed apps so it can be started by the HighRise operator, according to the user guide.
These features suggest that this particular version probably was not used for spying on a target, at least not directly, and instead was used as a secure line of communication with CIA agents in the field, perhaps as a backup. Previous versions of the app did not have these attributes.
It is not known if the CIA continues to use this tool, albeit and updated version that supports newer version of Android (and perhaps iOS as well).
This appears to be an old tool that was used by the CIA, or at least the version described in the leaked documents is an older piece of malware. The accompanying manual is dated December 16, 2013, and describes a tool that was designed to work on mobile handsets running Android 4.0 (Ice Cream Sandwich) to 4.3 (Jelly Bean). There have been four other major Android releases since then, including KitKat, Lollipop, Marshmallow, Nougat. Google is also close to releasing yet another Android build, Android O.
Based on the manual's description, HighRise acts as a proxy server for text messages on compatible Android devices. It then takes those messages and flings them to Internet "listening posts" where an agent can intercept and read them. The app is also password protected to prevent unauthorized users from making any unwanted to changes to its settings or behavior.
One thing that is interesting about this particular malware is that it cannot be installed remotely, unlike some of the other tools the CIA is known to have used. HighRise must be installed physically and then manually run once before it will automatically run in the background or after a reboot. As a consequence of this, HighRise also shows up in the list of installed apps so it can be started by the HighRise operator, according to the user guide.
These features suggest that this particular version probably was not used for spying on a target, at least not directly, and instead was used as a secure line of communication with CIA agents in the field, perhaps as a backup. Previous versions of the app did not have these attributes.
It is not known if the CIA continues to use this tool, albeit and updated version that supports newer version of Android (and perhaps iOS as well).
