Wikileaks Reveals CIA Collects Zero-Day Android Exploits, but the Leaked Vulnerabilities are All Dated

Wikileaks Reveals CIA Collects Zero-Day Android Exploits, but the Leaked Vulnerabilities are All Dated

If you regularly follow international news, you might have heard of WikiLeaks. WikiLeaks is a non-profit organization that focuses on publishing leaks, in particular those related to governments and politicians. A lot of what WikiLeaks publishes reaches front pages around the world, and for good reason.

Today, WikiLeaks has begun a new series of leaks code-named “Vault 7”, on the U.S. Central Intelligence Agency (CIA). The first part of this series is dubbed “Year Zero” and it comprises of 8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence. The CIA recently lost control of the majority of its hacking arsenal which included malware, trojans, weaponized “zero day” exploits, malware remote control systems, and more. This collection has the capability of giving its possessor the entire hacking capacity of the CIA.

“Year Zero” introduces CIA’s global covert hacking program, its malware arsenal and “dozens of zero day weaponized exploits” against a wide range of products and Operating Systems, including Android. For the scope of this article, we will be focusing on Android primarily, which is present on 85% of devices around the world.

As WikiLeaks states in their press release:

“Year Zero” shows that as of 2016 the CIA had 24 “weaponized” Android “zero days” which it has developed itself and obtained from GCHQ, NSA and cyber arms contractors.

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.

WikiLeaks mentions that the time period covered in these leaks is 2013-2016. These documents appear to be pulled from an internal Wiki of the CCI, but are littered with redactions extending on to even archive attachments. The Android related zero day vulnerabilities lead us to this page where they are detailed further.

The leaks from WikiLeaks do make it clear that the U.S. government did actively work towards researching and collecting various exploits against a plethora of different Operating Systems and hardware. The leaks relate primarily to the U.S. government, but that does not mean that only the US government organized such activities. Citizen surveillance can be expected out of any government (to some degree), regardless of how heavily dressed up in the name of “national security” their stated purpose may be.

With that being said, we do need to take a closer look at the Android exploits talked about before getting anxious or alarmed. The “zero day” exploits mentioned in the leaks relate to older Android hardware and software, with many of these devices no longer being sold or supported. A zero-day exploit is one wherein the existence of a vulnerability is unknown to the vendor, a fact that the hacker exploits to take control before the vendor can find and patch the backdoor. But in several of these cases, vendors will not rush to patch the now-disclosed vulnerability simply because the affected product is too outdated to be of any consequence.

For example, the ‘Dugtrio’ Remote Access Vulnerability affects devices running Android versions 4.0 and 4.1.2. The Freedroid vulnerability affects Android 2.3.6 – 4.2 and is deemed unreliable in Android 4.3 -4.4. The Flameskimmer vulnerability affects Android 4.4.4, but also requires the device to have a Broadcom WiFi chipset. The Spearrow Remote Info Leak exploit requires Android 4.1.2, but the document appends a ‘?’ to the affected version number which we presume to indicate this exploit’s unreliability. For reference, Android 4.3 and below is present on 13.3% of Android devices per the latest distribution numbers, while Android 4.4 bumps that percentage to 21.9%.

Furthermore, several of these exploits target specific devices, but said devices are old and not readily found in the market today. For example, the Colobus exploit targets devices with an Adreno 225 GPU (found in the Snapdragon S4 Plus SoC) or the Adreno 320 GPU (part of the Snapdragon 600) which can be found on dated phones such as the Sony Xperia Z, the Samsung Galaxy S4 i9505, and the HTC One (M7).  The Simian exploit affects MSM8974 (Snapdragon 800) devices.

Perhaps the most relevant of these exploits are Galago, Snubble, and Sulfur. Galago affects a few variants of the Samsung Galaxy Note 4. But even then the detail page mentions only two build numbers affected (namely KTU84P.N910HXXU1ANK5 for the SM-N910 and KTU84P.N910SKSU1ANK8 for the SM-N910S). Snubble on the other hand affects the Samsung Galaxy S5 on build KOT49H.G900HXXU1ANCD, the Galaxy Note 3 on KOT49H.N900W8UBUCNC1, and the Galaxy S4 on KOT49H.I9500UBUFNB3. Some more builds of the Samsung Galaxy Note 4 are affected by Sulfur.

Even on specific applications, EggsMayhem affects “Chrome version 32-39 (present)”, but Chrome version 39 which is marked as “present” was released back in late 2014.

The leaking of the existence of citizen surveillance techniques is certainly a cause of worry for citizens. First and foremost, it infringes on the very basic right to privacy, which the United States Constitution in particular guarantees through the Fourth Amendment. Giving the government unrestricted access over our personal data is a thought that would not sit well with many of us, and leaks such as these make matters even more worrying given that consent to such activity was never given implicitly nor explicitly.

But what we would like to urge readers to do is to take a level-headed approach to the leaks. These leaks show sinister government behavior, and we are with you on that fact, but before getting anxious or paranoid keep in mind that many of these affect a small portion of the total Android users as they target outdated hardware and unsupported software, both of which are several generations behind. The press release insists the leaks as being current, but the affected vectors belong more to 2014 than they do to 2016. The sensationalism used by WikiLeaks in their press release (evidenced by the citation below) is unsupported by their leaked information as far as Android is concerned.

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.

With regards to this particular statement in the leaks, there is no indication on the Android side of things that any of these applications and their security was specifically affected. What is indicated is that the integrity and security of the device itself was compromised, which then opened up an access route for hackers to sniff and collect information from these applications before the information was encrypted. There is no indication that the encryption on these services was broken and their security compromised at the service level.

Looking at this offers, several of these are obviously well known, public vulnerabilities/exploits (Towelroot, the javascript one, etc). Nothing new, nothing concerning (except those on really old phones or who refuse to update).

A few I suspect I know what they are, and they are also dead (patched or mitigated).

Rest straight state they are for old builds.

TLDR Don’t worry about what they posted, its all old or known. Maybe worry about newer exploits they have that are not listed. Don’t worry about any of it unless you have a reason for nation states to mess with you.

  • Senior Recognized Developer jcase

To be fair, it is possible that the internal CCI wiki page that was leaked was out-of-date when it was retrieved. There is also a possibility that newer and more relevant zero-day exploits were not added to the wiki to protect it from leaks such as this one. Another possibility, since the government actively worked to find and document such exploits in the past, is that it continues to do so in the present but hasn’t had as much success as device security has improved over time. But even if the government does find it, there is very little chance the existence of such an exploit will be made public knowledge by the government itself, so do remain skeptical.

The leaks from WikiLeaks has opened a can of worms and put digital security in the modern world back into the spotlight. While the broader topic does rightfully invite heated discussions, our current Android devices may very well remain largely uncompromised. However, the XDA-Developers team takes security seriously, so please do look into ways in which you can secure your data wherever possible. You’d be surprised as to how a few minor time investments can protect your privacy.

What are your thoughts on the WikiLeaks “Year Zero” leaks? Let us know in the comments below!

Source: WikiLeaks Vault 7 Press Release

About author

Aamir Siddiqui
Aamir Siddiqui

I am a tech journalist with XDA since 2015, while being a qualified business-litigation lawyer with experience in the field. A low-end smartphone purchase in 2011 brought me to the forums, and it's been a journey filled with custom ROMs ever since. When not fully dipped in smartphone news, I love traveling to places just to capture pictures of the sun setting. You can reach out to me at [email protected]