In case you did not know, Vault7 is the name of a group of documents that are being released by WikiLeaks, which started releasing on March 7, 2017. It documents the activities and capabilities of the US Central Intelligence Agency including programs or tools that were held by the government agency. Allegedly, these tools were created for electronic surveillance and cyber warfare by the US. Unfortunately with the release of these tools, other entities have created their own hacking tools to attack the innocent. For instance, WannaCry used the Eternal Blue tool that used SMB version 1 to spread to other Windows machines. Microsoft created a patch (MS17-010) to close this bug earlier this year and released it to expired operating systems as a response. Of course, not everyone listened.
This week we get another dump from Vault7 and it includes HighRise, which was designed for mobile devices running Android (specifically 4.0 to 4.3). It provides a redirector function for SMS messaging. Since there are a number of IOC tools that use SMS messaging, HighRise could be used to hijack that stream to offer different commands. For instance, the message could be that there is a problem (IOC device not working correctly) when the delivered message is everything is OK. Basically, messages destined for the Android device get proxied by a 3rd party somewhere else and it is done over TLS/SSL secured communication.
With Blackhat and Defcon coming up, I am sure that there are a few attendees that will be taking a closer look at this document. There will probably be a bunch of Android devices at those conferences. This is just another example that shows companies they need to upgrade. Android 4.0-4.3 (code names were Ice Cream Sandwich and Jelly Bean) is older and support for these versions ended sometime in 2011-2012. Version 7.x (Nougat) is the latest with 8.0 expected. It is time to upgrade – I know, sometimes easier said than done .