Mobile security is a misnomer at this point. There are very few things in the way of someone creating and deploying malicious code and it looks like proof of concept botnet code is set to be publicly revealed. The app can hide itself on the phone and send out text messages that don’t leave a footprint. According to Dark Reading:
In Weidman’s hack, the "master" smartphone communicates via SMS messages to the bots without the user knowing, and the bot sends SMS spam without the user knowing. Her demo at ShmooCon will use three Android phones — one of which is the master of the botnet. The attack is silent because it uses a proxy that sits in the OS between the modem and the userspace, she says. "It sees GSM traffic before it goes to userspace … that’s where the transparency comes in. If it receives an SMS, the proxy can swallow the message so the user never sees it."
And the goal is for it to go undetected, without sapping the battery or even showing the spammed-out SMS messages. Bots get updated via the SMS text messages with shortened URLs, and spam also is spread that way from the bots to other smartphones.
The code set to be demonstrated this weekend could be tweaked to do more malicious acts. It’s just proof of concept code but it does show how easy this is to accomplish and how vulnerable phones are. Even the diligence done before getting into the App Store isn’t enough to detect these types of codes based on current screening. Of course, if SMS is used you’ll eventually figure this out based on your bill but it’s a bit late by then. They also note that last year an app called WeatherFist was released to show how quickly malicious code could transfer it it as downloaded by 8,000 Android and iPhones. This app was a weather app that transmitted personal user data to their site, but since it was researchers there was ultimately no harm done.
So what can we do? Well I think the simple reality is that we’re at a point where the mobile app markets are going to have to do more screening to protect end users or, if there’s no screening like Android, then antivirus apps will actually become necessary. The truth is, we al have a ton of personal information on our phones and if nothing else, with NFC becoming the norm and the ties between our phones and social activities strengthening our phones are becoming easier targets and they’re entirely unguarded since the ease of hiding malicious code in a benign app is so simple. For now, this is a ‘to be continued’ story, but I’m not sure it’s a good idea to publicly release this type of proof-of-concept app. It just makes it too easy.