If you have a smartphone, online criminals may soon have your number. Smart phone malware is getting increasingly sophisticated, and MIT‘s Technology Review reports that a security researcher has created software that turns a smart phone into a “zombie” that can be controlled remotely. The blog says Georgia Weidman created the program, which controls a Google (GOOG) Android phone via short message service (SMS) to bring about a smartphone zombie apocalypse.
Once only theoretical, real-world cell-phone viruses are becoming more common. The article reports the most famous was a scam in Russia tricked users into installing malicious software on Android phones, and using the SMS functionality to send messages to a number that charged a premium fee. In late 2010, a Chinese virus for Android devices was used to steal personal data according to the article.
Botnets have become a staple of Internet crime. They can be used to attack other systems, host attack tools, send spam, or just steal data. The blog says this type of attack has been rare with mobile devices, but that seems to be changing. “We have been taking down Internet botnets for years now, but there is not as much understanding [of telecom networking],” Weidman says. “I definitely see criminals going more and more toward using the telco’s network.”
TR explains that Weidman’s program is one of the first known to turn smartphones into zombie nodes of a botnet. Her attack works like this: After infecting a phone with a rootkit, she uses that phone to send spam text messages, take part in a denial-of-service, or degrade the communications of the phone—all without the user knowing. The techniques apply to any smart phone, Weidman says.
Today’s smart phones have multiple layers of defense. For one, they can block malicious applications. They also have managed channels, such as the Apple (AAPL) App Store and Google’s Android Marketplace, for applications.
As a result, Weidman says, infecting a smartphone is not easy. “The hurdle with any malware is infecting the phone,” she told Technology Review, noting that the methods used by cybercriminals usually do not work. “More of what you see of malware is peoplee downloading applications for their phone that are infected,” she says.
The problem of cybercriminals targeting consumers’ phones will only get worse Kevin Mahaffey, chief technology officer of mobile-security startup Lookout told the author. Because the control of phones is so easy to turn into cash via premium text messages, criminals will be drawn to attack the devices.
“I always tend to look at the economics of the problem to ask myself whether it will continue in the future,” the CTO explained. “And because there is an incentive for attackers to compromise mobile phones, and the cost of compromising is not that high, that says it will become more prevalent in the future.”
Using the telecommunications network, rather than the Internet, for botnet control allows attackers to hide their actions from users. When the attacker does it using malicious software, the user has little chance of detecting it, says Weidman.
“When I infected a phone in my botnet—my lab botnet—with malware, the smart phone would receive a message through SMS and I would check to see if it has botnet instructions in it,” she says. “If it does, it would perform the functionality requests, and then it would swallow the message, so the user does not know that there was a message at all.”
While phones do not have the computing power of more traditional computers, they are hefty enough to handle many of the tasks that cybercriminals desire, she says. She adds that the sheer number of smart phones means that any botnet could be “a real threat” to create a smartphone zombie apocalypse.
- Android Malware Infections Increase By 700% (escapistmagazine.com)