Researchers build a mobile botnet from smartphones.
A story about the seedy cyber underground AND mobile devices at the same time? It’s too good to pass up!
Zombie iPhones, oh my!
So this story emerged last week about a pair of researchers that created an application called WeatherFirst for iPhone and Android handhelds which demonstrated how easy it would be to add malicious code to an application, and they ended up netting over 8000 iPhone and Android smartphones! They specifically targeted distribution channels outside of the vendor stores, which didn’t have such thorough testing, as high standard, or maybe just to avoid the army of lawyers ready to pounce on them once the story was published.
For an iPhone, it meant that the phone had to be jail-broken, but, the Android phone didn’t have the same requirement.
To their credit, this application is actually useful. It was created as a proof of concept though to show how easy it is to trick users into installing an application that might be malicious. The WeatherFirst application retreived the GPS coordinates of your location and sends them back to a server so it can be converted into a Zip Code, which is used to get local weather from the Weather Underground. This app by itself isn’t harmful, but they also created a version, which was not publicly available, that was malicious and running botnet code capable of turning the device into a zombie.
Botnets are a collection of machines that have been compromised and which report back to some server for instructions to carry out. In addition to being able to collect sensitive information, they are often used to send spam. Here is a related story about a real botnet that might be good background.
For a developer, this isn’t any big news really. We know that there is potentially sensitive data on a user’s device and that there are APIs to get access to it. There are safeguards in place when downloading apps from the iPhone AppStore, Android Market, and BlackBerry App World to prevent this, such as code signing. Apparently though, there are enough people willing to take their chances with applications from less reliable distribution channels.
Android, botnet, iPhone, security
[...] a couple days old, but I felt it was such a fun story that I had to share. So we saw from my previous post about mobile phone botnets that I think the security aspect of mobile computing is very compelling, [...]