The FBI operation in which the agency intercepted messages from thousands of encrypted phones around the world was powered by cobbled together code. Motherboard has obtained that code and is now publishing sections of it that show how the FBI was able to create its honeypot. The code shows that the messages were secretly duplicated and sent to a “ghost” contact that was hidden from the users’ contact lists. This ghost user, in a way, was the FBI and its law enforcement partners, reading over the shoulder of organized criminals as they talked to each other.
Last year, the FBI and its international partners announced Operation Trojan Shield, in which the FBI secretly ran an encrypted phone company called Anom for years and used it to hoover up tens of millions of messages from Anom users. Anom was marketed to criminals, and ended up in the hands of over 300 criminal syndicates worldwide. The landmark operation has led to more than 1,000 arrests including alleged top tier drug traffickers and massive seizures of weapons, cash, narcotics, and luxury cars.
Motherboard has obtained this underlying code of the Anom app and is now publishing sections of it due to the public interest in understanding how law enforcement agencies are tackling the so-called Going Dark problem, where criminals use encryption to keep their communications out of the hands of the authorities. The code provides greater insight into the hurried nature of its development, the freely available online tools that Anom’s developers copied for their own purposes, and how the relevant section of code copied the messages as part of one of the largest law enforcement operations ever.
Do you know anything else about Anom? Were you a user? Did you work for the company? Did you work on the investigation? Are you defending an alleged Anom user? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
The key part of the Anom app is a section called “bot.”
The app uses XMPP to communicate, a long-established protocol for sending instant messages. On top of that, Anom wrapped messages in a layer of encryption. XMPP works by having each contact use a handle that in some way looks like an email address. For Anom, these included an XMPP account for the customer support channel that Anom users could contact. Another of these was bot.
Unlike the support channel, bot hid itself from Anom users’ contact lists and operated in the background, according to the code and to photos of active Anom devices obtained by Motherboard. In practice the app scrolled through the user’s list of contacts, and when it came across the bot account, the app filtered that out and removed it from view.
That finding is corroborated by law enforcement files Motherboard obtained which say that bot was a hidden or “ghost” contact that made copies of Anom users’ messages.
Authorities have previously floated the idea of using a ghost contact to penetrate encrypted communications. In a November 2018 piece published on Lawfare, Ian Levy and Crispin Robinson, two senior officials from UK intelligence agency GCHQ, wrote that “It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call,” and “You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication.”
The code also shows that in the section that handles sending messages, the app attached location information to any message that is sent to bot. On top of that, the AndroidManifest.xml file in the app, which shows what permissions an app accesses, includes the permission for “ACCESS_FINE_LOCATION.” This confirms what Motherboard previously reported after reviewing thousands of pages of police files in an Anom-related investigation. Many of the intercepted Anom messages in those documents included the precise GPS location of the device at the time the message was sent.
In some cases, police officers reported that the Anom system failed to record those GPS locations correctly, but that authorities believe the coordinates are generally reliable as they have in some cases been matched with other information such as photos, according to those police files.
A lot of the code for handling communications was apparently copied from an open source messaging app.
The code itself is messy, with large chunks commented out and the app repeatedly logging debug messages to the phone itself.
Cooper Quintin, a senior staff technologist at activist organization the Electronic Frontier Foundation (EFF), didn’t think it was unusual for developers to use other modules of code found online. But he did find it “bonkers” that the FBI used ordinary developers for this law enforcement operation.
“This would be like if Raytheon hired the fireworks company down the street to make missile primers, but didn’t tell them they were making missile primers,” he said in a phone call. “I would typically assume the FBI would want to keep tighter control on what they’re working on,” such as working with inhouse computer engineers who had security clearance and not bringing in people who are unknowingly taking down criminal organizations, he added. (One reason for the use of third-party developers was that Anom already existed as a company in its own right, with coders hired by the company’s creator who worked on an early version of the app, before the FBI became secretly involved in Anom’s management).
Recently courts in Europe and Australia have seen the next step of the Anom operation: the prosecution of these alleged criminals with Anom messages making up much of the evidence against them. Defense lawyers in Australia have started legal requests to obtain the code of the Anom app itself, arguing that access to the code is important to determine that the messages being presented in court by the prosecution are accurate. The Australian Federal Police (AFP) has refused to release the code.
“Anybody who has been charged with an offence arising from messages that are alleged to have been made on the so called ‘Anom Platform’ has a clear and obvious interest in understanding how the device worked, how anyone was able to access these messages and most importantly whether the original accessing and subsequent dissemination of these messages to Australian authorities was lawful,” Jennifer Stefanac, an Australian solicitor who is defending some of the people arrested as part of Operation Ironside, the Australian authorities’ side of the Anom operation, told Motherboard in an email.
A second lawyer handling Anom related cases said they didn't think the Anom code would be of much relevance to defendants’ cases. A third said they saw why defendants may seek access to the code, but that they believed it shouldn’t be publicly available.
When asked for comment, the San Diego FBI told Motherboard in a statement that “We appreciate the opportunity to provide feedback on potentially publishing portions of the Anom source code. We have significant concerns that releasing the entire source code would result in a number of situations not in the public interest like the exposure of sources and methods, as well as providing a playbook for others, to include criminal elements, to duplicate the application without the substantial time and resource investment necessary to create such an application. We believe producing snippets of the code could produce similar results.”
Motherboard is not publishing the full code of Anom. Motherboard believes the code contains identifying information on who worked on the app. Most of the people who worked on the Anom app were not aware it was secretly an FBI tool for surveilling organized crime, and exposing their identities could put them at serious risk. Motherboard will not be releasing the app publicly or distributing it further.
Motherboard previously obtained one of the Anom phones from the secondary market after the law enforcement operation was announced. In that case, the phone had a locked bootloader, meaning it was more difficult to extract files from the device. For this new analysis of the code, a source provided a copy of the Anom APK as a standalone file which Motherboard then decompiled. Motherboard granted multiple sources in this piece anonymity to protect them from retaliation.
Decompiling an app is an everyday process used by reverse engineers to access the code used to construct an app. It can be used to fix problems with the software, find vulnerabilities, or generally to research how an app was put together. Two reverse engineering experts corroborated and elaborated upon Motherboard’s own analysis of the app.
Operation Trojan Shield has been widely successful. On top of the wave of arrests, authorities were also able to intervene using the messages and stop multiple planned murders. In June to mark the one year anniversary of the operation’s announcement, the AFP revealed it has shifted some of its focus to investigating thousands of people suspected of being linked to Italian organized crime in Australia and that it is working with international partners.