Wikileaks: CIA HighRise Android malware used to intercept and redirect SMSs

Pierluigi Paganini July 13, 2017

Wikileaks released the documentation for HighRise, an Android app used by the CIA to intercept and redirecting SMS messages to a CIA-controlled server.

WikiLeaks just published a new batch of documents related to another CIA hacking tool dubbed HighRise included in the Vault 7 released in partnership with media partners.

The tool is an Android application used by the US intelligence agents to intercept and redirecting SMS messages to a CIA-controlled server.

Below the list of features implemented by the Android malware:

  • Proxy “incoming” SMS messages received by HighRise host to an internet LP
  • Send “outgoing” SMS messages via the HighRise host
  • Provide a communications channel between the HighRise field operator & the LP
  • TLS/SSL secured internet communications

“HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. HighRise provides a redirector function for SMS messaging. There are a number of IOC tools that use SMS messages for communication and HighRise is a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post.” reads the manual.

According to a user manual leaked by Wikileaks, the malicious code only works on Android versions from 4.0 through 4.3 (Android Ice Cream Sandwich and Jelly Bean) that currently account for 8,8 percent of overall Android devices on the market.

Anyway, the document is dated back to December 2013, it is likely that the CIA has updated the tool in the meantime to target newer versions of the Android OS.

The HighRise tool is packaged inside an app named TideCheck (tidecheck-2.0.apk, MD5: 05ed39b0f1e578986b1169537f0a66fe).

HighRise Android hacking tool

The tool must be installed by CIA agents manually on the target system and need to be manually executed at least one time.

“Therefore, the HighRise application first must be manually run once before it will automatically run in the background or after a reboot. As a consequence, the HighRise application now shows up in the list of installed apps so it can be started by the HighRise operator. ” continues the manual.

When running the tool for the first time, CIA cyber spies must enter the special code “inshallah” (“God willing” in Arabic) to access its settings.

Once the code has been entered and the software is successfully activated, HighRise will run in the background listening for events. The hacking tool will automatically start every time the phone is powered on.

“Once activated, HighRise will run in the background listening for events. It will also automatically start when the phone is powered on. Activating HighRise multiple times will have no adverse affects.” continues the manual.

Below the list of release published by Wikileaks since March:

Below the list of release published by Wikileaks since March:

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Android malware, CIA)

[adrotate banner=”13″]



you might also like

leave a comment