Two researchers from TippingPoint’s Digital Vaccine Group duped thousands of smartphone users into joining a mobile botnet by spreading a seemingly innocuous weather application. Kelly Jackson Higgins at DarkReading writes that Derek Brown and Daniel Tijerina created a smartphone application called WeatherFist. Over 8,000 users downloaded WeatherFist, which grabbed users’ PII. The info they grabbed included GPS coordinates and telephone numbers, before displaying local weather information.
The researchers did not distribute their application via the official iPhone and Android application stores. Rather, they distributed the WeatherFist application via third-party app markets like Cydia, SlideME, and Modmyi. The apps could only be installed on jailbroken iPhones or Android devices where users had specifically given permission for non-approved applications to be run. “We wanted people to feel comfortable using the application and putting it on their phone so we would have permission to do a lot of things like pass GPS coordinates, write to the file system, and surf,” Brown told DarkReading.
Mobile Botnet
At the 2010 RSA Security Conference the researchers claimed they also wrote a malicious version of their mobile botnet, which they dubbed WeatherFistBadMonkey. According to DarkReading, the malicious app behaves more like traditional botnet code, stealing information and capable of distributing spam. “We could enable or disable system services [with a malicious app],” Brown says. The TippingPoint researchers told DarkReading they wanted to prove how an app could behave like much of the traditional Windows malware which, steals information, and allows hackers to gain remote control of hijacked devices.
rb-
Smartphones are a part of today’s network and Brown and Tijerina claim that this research shows a security hole in networks. Some of the ways to plug these new holes are to:
- Update policies for the proper use of smartphones
- Prohibit unsafe modifications of smartphones
- Allow apps only from reputable app stores
- Provide training on smartphone application usage
- Lockdown the Wi-Fi network settings to keep smartphones from ‘phoning home’ any information that shouldn’t leave the firm.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.