Once the path to those servers was established, the NSA could intercept traffic before it reached the servers, injecting malware to specific users through a man-in-the-middle attack. The files would appear to come from a trusted app store, but they would really be coming from the NSA. From there, the NSA could deliver tools from its extensive catalog of surveillance programs, including pulling a user’s contact list or reporting their location in near-real-time. Both Samsung and Google employ TLS encryption to protect against man-in-the-middle attacks like this, but cryptographers have been speculating for years that the NSA has found a way to break or circumvent those protections.
The documents date from November 2011 to February 2012, and it’s unclear if the plan was ever put into action. Still, it demonstrates the NSA’s abiding interest in breaking user protections to collect data and deliver malware. Previous Snowden documents suggested a similar program that would deliver malware using stolen SIM card keys. The revelation also comes as the FBI and others are actively lobbying for backdoors into consumer encryption systems, a proposal tech companies have vigorously resisted.