WikiLeaks published the manual of another CIA hacking tool part of the Vault 7 leak series. This tool is referenced internally at the CIA under the name of HighRise and is an Android application for intercepting and redirecting SMS messages to a remote web server.
How CIA Highrise Project Works
In general, the malware uses the internet connection to send stolen data after compromising a machine to the attacker-controlled server (listening posts), but in the case of smartphones, malware has an alternative way to send stolen data to the attackers i.e. via SMS.
But for collecting stolen data via SMS, one has to deal with a major issue – to sort and analyse bulk messages received from multiple targeted devices.
To solve this issue, the CIA created a simple Android application, dubbed Highrise, which works as an SMS proxy between the compromised devices and the listening post server.
“There are a number of IOC tools that use SMS messages for communication and HighRise is a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post” by proxying “”incoming” and “outgoing” SMS messages to an internet LP,” the leaked CIA manual reads.
CIA operatives need to install an application called “TideCheck” on their Android devices, which are set to receive all the stolen data via SMS from the compromised devices.
The last known version of the TideCheck app, i.e. HighRise v2.0, was developed in 2013 and works on mobile devices running Android 4.0 to 4.3, though I believe, by now, they have already developed an updated versions that work for the latest Android OS.
Once installed, the app prompts for a password, which is “inshallah,” and after login, it displays three options:
- Initialize — to run the service.
- Show/Edit configuration — to configure basic settings, including the listening post server URL, which must be using HTTPS.
- Send Message — allows CIA operative to manually (optional) submit short messages (remarks) to the listening post server.
Once initialized and configured properly, the app continuously runs in the background to monitor incoming messages from compromised devices; and when received, forwards every single message to the CIA’s listening post server over a TLS/SSL secured Internet communication channel.