New Zealand and its spying partners exploited weaknesses in one of the world's most popular mobile browsers and planned to hack into smartphones, according to a Top Secret document leaked this week.
The Five Eyes partners are accused of targeting links to Google and Samsung app stores in a project civil liberties activists have denounced.
The spy agencies deliberately sought security vulnerabilities, but failed to inform companies or the public, leaving the private data of millions of people at risk, civil liberties group OpenMedia said today.
The leaked Top Secret document was posted on the Canadian CBC News site, in conjunction with The Intercept, after whistleblower and fugitive Edward Snowden acquired it.
Apart from discussing how to propagate surveillance software, the newly-revealed document described efforts to place messages and other communications data on smartphones.
The idea was to send misinformation to confuse enemy spy agencies.
In a statement this afternoon, a spokesman for the Department of the Prime Minister and Cabinet said the GCSB "exists to protect New Zealand and New Zealanders" and had a foreign intelligence mandate.
"We don't comment on speculation about matters that may or may not be operational," he said. "Everything we do is explicitly authorised and subject to independent oversight."
Auckland-based geopolitical analyst Dr Paul G Buchanan said civil libertarians were right to have concerns about the latest Five Eyes leak.
"I thought it was ingenious for them to try to install malware to confuse their opponents. That presumably is because they know the phone numbers of other countries' spies," he said.
"If they're installing malware on environmental activists or people of that ilk, then it is a bit beyond the pale."
He said the GCSB's track record, which included illegal spying on Kim Dotcom, could reinforce these suspicions.
However, Dr Buchanan said most members of the public had little reason to worry about the spying mentioned in the latest leak.
"I think that although the private data of millions of people was at risk, I don't think that the intelligence guys in Five Eyes [have] the time or resources to go through all that data. They're obviously looking for more specific things."
He said there was still a possible risk from rogue agents who might misuse their jobs to advance prurient or personal agendas, such as stalking ex-partners or love rivals.
Such abuses had occurred in other Western spy agencies, he said.
Dr Buchanan said an institutional "lag" existed where legal frameworks governing spying were not keeping up with technological advances available to intelligence agencies.
Spies were therefore usually far ahead of any laws restricting their activities.
"If there's not a law that specifically prevents them from doing so, then they will do so."
Dr Buchanan said GCSB claims its spies were "explicitly authorised" to spy in ways the latest leak outlined did not mean those actions were ethical or carried out in a democratic spirit.
The document described ways to access Samsung and Google's app stores to collect information on the customers of those firms.
The companies declined to talk to CBC about the latest leak.
During workshops held in Canada and Australia in late 2011 and early 2012, a Five Eyes "tradecraft" team tried to find ways to implant spyware on smartphones by intercepting the transmissions sent when downloading or updating apps.
The 52-page document included details of the vuvuzela-inspired Operation Irritant Horn.
"The malware implanted with this technique allows the intelligence agencies to control user's devices and exfiltrate data from it," security analyst and "ethical hacker" Pierluigi Paganini wrote on the Security Affairs blog.
"All of this is being done in the name of providing safety and yet ... Canadians or people around the world are put at risk," University of Ottawa internet law expert Michael Geist told CBC.