New dump reveals an Android malware called HighRise

Jul 14, 2017 08:34 GMT  ·  By

WikiLeaks has just revealed the details of another CIA hacking tool as part of the Vault 7 saga, confirming that in addition to Windows and Linux systems, the agency was also targeting Android smartphones.

Called HighRise, the tool is essentially an Android malware that can intercept text messages and send them to a CIA server, allowing an operator to easily read any conversation on the compromised device.

“It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field (‘targets’) and the listening post (LP) by proxying ‘incoming’ and ‘outgoing’ SMS messages to an internet LP,” WikiLeaks explains.

Specifically, the CIA was using an app called TideCheck to deploy the hacking utility, though it’s worth mentioning that the agency needed to already be in control of the device to do this, which means that other tools to compromise Android devices were most likely developed too.

Once installed, the app needs to be launched manually by the agent, with a password requested at first boot. According to the manual published by WikiLeaks, the password is “inshallah,” which means “God willing” in Arabic.

Old versions of Android said to be supported

HighRise only works on Android 4.0 to 4.3, but there’s a good chance the CIA has already updated the hacking tool to target newer versions of the operating system. The malware was developed in late 2013, and Android 4.0 was the latest version at that point, and this could be an indication that the CIA introduced a series of improvements to stay current with the latest Android updates.

HighRise can run at device boot with the process started in the background, so the target won’t spot the malware unless it checks the list of running processes.

“Once activated, HighRise will run in the background listening for events. It will also automatically start when the phone is powered on.  Activating HighRise multiple times will have no adverse affects,” the manual of the malware explains.

As usual, the CIA hasn’t provided a statement on this, but WikiLeaks is expected to reveal more hacking tools used by the agency as part of the Vault 7 series of leaks in the near future.