Sneaky App Shows Potential For Smartphone Botnets
by Jim Giles, Correspondent, The New Scientist
Security researchers have installed potentially dangerous software on thousands of smartphones to illustrate a new security threat. They believe their creation is the first ever demonstration of a mobile “botnet”.
Botnets are networks of computers that have been broken into and brought under the control of a malicious hacker. The networks, which are used to send spam and steal online banking passwords, include millions of “zombie” machines worldwide.
Smartphones such as the iPhone and devices running the Android operating system have not previously been targeted by botnet owners. But Derek Brown and Danny Tijerina at TippingPoint, a computer security firm in Austin, Texas, have now shown that it would be relatively easy to do so.
Brown and Tijerina created a smartphone application called WeatherFist, which purported to be a weather forecasting service, and uploaded the software to a variety of online “app” stores. Around 7800 users have downloaded WeatherFist onto their phones in the last few months, Brown and Tijerine told the RSA Conference in San Francisco.
The app does indeed provide weather forecasts. But the app also secretly passed users’ locations and phone numbers to a server controlled by Brown and Tijerina. The pair created a second version of the software, called WeatherFistBadMonkey, able to send names, phone numbers and addresses from a phone’s contacts list to the server too.
That version was only tested on Brown and Tijerina’s own phones. Such software could also potentially be “upgraded” to steal files from the phone, log keyboard entries or send emails, say Brown and Tijerina.
iPhone users are much better protected against such attacks. Most users only download apps from the official Apple app store, which is monitored for dangerous software. Brown and Tijerina submitted WeatherFist to ModMyi, an alternative app store that caters to iPhones that have been modified to accept software not on the official app store. This modification, known as jailbreaking, is strongly discouraged by Apple.
Phones using Google’s Android operating system, however, do not need to be jailbroken to accept unofficial software. Over 90 per cent of WeatherFist downloads were to Android phones. “The average user is not tech-savvy enough to police the apps they put on their phone,” says Brown.
A Google spokesperson says that Android users receive a security warning when they download apps from sites other than the official Android Market. The Android Market itself is also monitored for malicious content.