The NSA developed a plan to deliver malware through Google and Samsung app stores, according to newly published documents obtained by Edward Snowden and published by The Intercept. The documents details a program called IRRITANT HORN, which delivers malware by intercepting web traffic to and from mobile application servers. One slide details Samsung's update protocol, while another pinpoints the Google Play servers in France, used to deliver updates to phones throughout northern Africa.
Once the path to those servers was established, the NSA could intercept traffic before it reached the servers, injecting malware to specific users through a man-in-the-middle attack. The files would appear to come from a trusted app store, but they would really be coming from the NSA. From there, the NSA could deliver tools from its extensive catalog of surveillance programs, including pulling a user's contact list or reporting their location in near-real-time. Both Samsung and Google employ TLS encryption to protect against man-in-the-middle attacks like this, but cryptographers have been speculating for years that the NSA has found a way to break or circumvent those protections.
The documents date from November 2011 to February 2012, and it's unclear if the plan was ever put into action. Still, it demonstrates the NSA's abiding interest in breaking user protections to collect data and deliver malware. Previous Snowden documents suggested a similar program that would deliver malware using stolen SIM card keys. The revelation also comes as the FBI and others are actively lobbying for backdoors into consumer encryption systems, a proposal tech companies have vigorously resisted.