WikiLeaks has published its latest Vault 7 documents, revealing the CIA's alleged Android malware dubbed HighRise that has been designed to allow spies to covertly steal data from targeted smartphones. According to WikiLeaks, HighRise functions as an SMS proxy and sends stolen data to the CIA via SMS.
WikiLeaks documents reveal that HighRise masquerades as an app called TideCheck, which needs to be manually downloaded onto targeted phones "before it will automatically run in the background or after a reboot".
"HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts," WikiLeaks said.
Targeted users can be tricked into downloading the alleged CIA malware-laced TideCheck app. However, the app reportedly requires users to enter a password to open it up; the password is "inshallah" which is an Arabic word that roughly translated means "God willing". It is unclear why the phrase "inshallah" was used as a password for the app. According to Hackread, the phrase is commonly used in the Arab world and could likely hint that the malware was designed to target Arabic or Muslim people.
According to the user guide published by WikiLeaks, once configured, the malware-laced app runs surreptitiously in the background, checking for incoming messages, which it then passes along to the CIA's remote listening post (LP) server.
According to the leaked user manual, HighRise's primary features are:
- Send a copy of all incoming SMS messages to a CIA-controlled remote internet-based server
- Send SMS messages from the target's compromised smartphone
- Provide a communications channel between the HighRise field operator & the CIA's LP
- Provide a TLS/SSL secured internet communications
WikiLeaks' dump is part of its Vault 7 series, which allegedly details the various kinds of hacking tools the spy agency uses to surveil its targets. HighRise is the 16th data dump and comes just a week after WikiLeaks published its previous Vault 7 files, detailing the CIA's hacking tools targeting Windows and Linux systems.