Canadian Spy Agency Targeted Android Smartphones to Implant Spyware

spy files

In case you thought everything was alright and secure with your mobile web browser, here is something that will force you to leave that comfort zone: A spy group alliance comprising Canada, the United States, Britain, Australia, and New Zealand targeted and exploited weaknesses in mobile web browsers and sought ways to hijack data links to servers used by Google’s and Samsung’s app stores, the latest document obtained by Edward Snowden reveals, as reported by CBC.

Some popular mobile apps incorporate weak security measures, so — if discovered by spy agencies — they represent a backdoor to user data. Now it only depends on who gets there first: the hacker, criminal, or spy agencies. You decide which is worse.

“All of this is being done in the name of providing safety and yet … Canadians or people around the world are put at risk. What they are clearly looking for are common points, points where thousands, millions of internet users actively engage in, knowing that if they can find ways to exploit those servers, they will be privy to huge amounts of data about people’s internet use, and perhaps use bits and pieces of that to make correlations,” says Michael Geist.

What the CBC report reveals is that the spy group that calls itself the Five Eyes intelligence alliance targeted mobile app store servers, as they provide key access to massive amounts of data from millions of mobile devices across the globe. They also wanted to implant spyware on targeted smartphones for obtaining data and taking over the device.

What is alarming is that users have no idea of this: they just use the apps, and they aren’t aware of the security measures the companies/developers behind those apps take. Just take Alibaba, for example.

Canada’s electronic surveillance agency, the Communications Security Establishment, refused to comment on its capabilities, saying that would constitute a breach of the Security of Information Act.

“CSE is mandated to collect foreign signals intelligence to protect Canada and Canadians from a variety of threats to our national security, including terrorism,” the agency said in a written statement. “CSE does not direct its foreign signals intelligence activities at Canadians or anywhere in Canada.”

Of course, this raises the question of national security versus customer privacy: should the government inform citizens about the security weaknesses they have discovered in devices, operating systems, and online infrastructure?

The University of Ottawa’s Michael Geist, one of Canada’s foremost experts on Internet law, believes there is an expectation that the federal government will protect Canadians. Well, we may have to wait a while to get that kind of protection from Ottawa. But what should we do until then?