Mobile security is a misnomer at this point. There are very few things in the way of someone creating and deploying malicious code and it looks like proof of concept botnet code is set to be publicly revealed. The app can hide itself on the phone and send out text messages that don’t leave a footprint. According to Dark Reading:

In Weidman’s hack, the "master" smartphone communicates via SMS messages to the bots without the user knowing, and the bot sends SMS spam without the user knowing. Her demo at ShmooCon will use three Android phones — one of which is the master of the botnet. The attack is silent because it uses a proxy that sits in the OS between the modem and the userspace, she says. "It sees GSM traffic before it goes to userspace … that’s where the transparency comes in. If it receives an SMS, the proxy can swallow the message so the user never sees it."

And the goal is for it to go undetected, without sapping the battery or even showing the spammed-out SMS messages. Bots get updated via the SMS text messages with shortened URLs, and spam also is spread that way from the bots to other smartphones.

The code set to be demonstrated this weekend could be tweaked to do more malicious acts. It’s just proof of concept code but it does show how easy this is to accomplish and how vulnerable phones are. Even the diligence done before getting into the App Store isn’t enough to detect these types of codes based on current screening. Of course, if SMS is used you’ll eventually figure this out based on your bill but it’s a bit late by then. They also note that last year an app called WeatherFist was released to show how quickly malicious code could transfer it it as downloaded by 8,000 Android and iPhones. This app was a weather app that transmitted personal user data to their site, but since it was researchers there was ultimately no harm done.

So what can we do? Well I think the simple reality is that we’re at a point where the mobile app markets are going to have to do more screening to protect end users or, if there’s no screening like Android, then antivirus apps will actually become necessary. The truth is, we al have a ton of personal information on our phones and if nothing else, with NFC becoming the norm and the ties between our phones and social activities strengthening our phones are becoming easier targets and they’re entirely unguarded since the ease of hiding malicious code in a benign app is so simple. For now, this is a ‘to be continued’ story, but I’m not sure it’s a good idea to publicly release this type of proof-of-concept app. It just makes it too easy.

1 COMMENT

  1. To be continued, huh. Doubt we’ll hear much about it again. But we shouldn’t have to wait long for another antivirus company to issue some vague advisory that phones running popular platforms are really insecure and big targets or whatever because that’s what I really need, Norton on my phone.

    Mobile security a misnomer? I have never found myself feeling insecure or seen any evidence of my phone being compromised in any way. Nor have you. It’s not a misnomer. Not yet at least. Besides, Google welcomes this and even pays people to do what this guy’s doing according to you. Helps them perfect the code, gives these guys some cash and a name for themselves, for the resume.

    On the other hand, radiator usually is a good, but less snappy, misnomer as the one in my apartment transfers heat by convection, not radiation. What else, hamburger (no ham, not from Hamburg I don’t think — same with Frankfurter). Tear gas is powder, not a gas. You park on a driveway but drive on the parkway (?)…

Comments are closed.