Powered By InformationWeek Business Technology Network
 
Welcome Guest. | Log In| Register | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share

Smartphone Weather App Builds A Mobile Botnet

Researchers dupe thousands of jailbroken iPhone, Android users into downloading app

Mar 05, 2010 | 04:55 PM

By Kelly Jackson Higgins
DarkReading

SAN FRANCISCO -- RSA Conference 2010 -- A pair of researchers has amassed nearly 8,000 iPhones and Android smartphones in an experimental mobile botnet project that demonstrates the ease of spreading potentially malicious applications on these devices.

Derek Brown and Daniel Tijerina, security researchers with TippingPoint's Digital Vaccine Group, demonstrated how their seemingly innocuous weather app -- called WeatherFist -- gathers information on the users who downloaded it, including their GPS coordinates and phone numbers.

The researchers wrote the app, which links to the Weather Underground Website and provides local and other weather forecast information to its users, and submitted it to app clearinghouses that offer apps for Androids and jailbroken iPhones. "We could get into the jailbroken [iPhone] market and deliver our app," Brown says.

They decided against Apple's iPhone AppStore as a way to distribute their app because apps undergo fairly rigorous vetting there: Code must be digitally signed by Apple, and apps can't "phone home" or contain private APIs, for instance. And approved iPhone apps run in a "sandbox," which prevents them from gathering data from a phone they aren't authorized to access.

The Android's official app marketplace was a bit too restrictive, as well, although their app doesn't require a jailbroken Android. The researchers used other online app stores that catered to jailbroken iPhones and other smartphones. "We wanted people to feel comfortable using the application and putting it on their phone so we would have permission to do a lot of things like pass GPS coordinates, write to the file system, and surf," Brown says.

A Google spokesperson reiterated that the app was not distributed via the Android Market. "Any user trying to download this application would need to change a setting on their Android device and bypass a security warning screen to enable downloading applications from other Websites," the spokesperson says. "Additionally, the Android application sandbox and permissions model requires a user to approve a list of permissions specified by applications before downloading. For example, a user must explicitly approve an application to access resources like location or the address book."

Within an hour of the app being set up on the SlideME and ModMyI app sites, the researchers had 126 downloads, and 702 after eight hours. "After 24 hours, we had 1,862," Tijerina says. And as of yesterday, the count was 7,800 iPhones and Androids running the app. "This was really surprising because if this was malicious code, that's a lot of bots we would control," he adds.

WeatherFist basically sends a request to pull the user's GPS coordinates and then sends that data to a server, where it's converted into the user's ZIP code. The ZIP code is passed to the Weather Underground site, which loads up the local weather information and forecast.

To prove the dangers of a mobile botnet, the researchers also wrote a malicious version of WeatherFist, called WeatherFistBadMonkey, that appears to the user as WeatherFist, but is really running bot code and can grab contact information, cookies, and physical addresses, and can send spam runs. They have run this app only on their own phones, not on those of their WeatherFist users.

The researchers have no plans to release WeatherFistBadMonkey due to its potential for abuse. "Nobody else is going to get this app," Tijerina says.

So why the WeatherFist experiment? The researchers say it's to prove how such an app could steal or modify a user's contacts, read his files, and access his Facebook and Twitter accounts, as well as email and passwords. "We could enable or disable system services [with a malicious app]," Brown says.

Brown says he and Tijera toyed with the idea of alerting WeatherFist users about the purpose of the app. "We considered sending messages to the users of our app and telling them to come see our talk here, but we didn't want to self-promote," which isn't the goal of the research, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.


Subscribe to RSS



Insider Threat Reports

report Inside Out: Protecting Your Partnerships -- and Your Data
Today's businesses depend on e-commerce among partners, but allowing third parties to access internal networks may endanger your data. How can IT security pros ensure that contractors, supplies and others get the access they need -- without becoming threats? This report offers some answers.

report Rotten Apples: How To Detect And Stop Malicious Insiders In Your Organization
Most data leaks are unintentional - but in every enterprise, there are a few hard cases that defy this truism and threaten the very heart of your data.What can you do to stop these rotten apples from using their intimate knowledge of your organization - and its data access methods - to wreak havoc? This report offers a detailed look at how malicious insiders might attack your data, how they’re motivated, and what you can do to stop them.

report Understanding The Insider Threat
Think you know your trusted users? Think again. The availability of new Internet technologies and the pressures of a spiraling economy are changing the nature of the data breach, and your employees may have their fingers on the trigger. This report offers a look at the full spectrum of insider threats, and the risks associated with each.

Other reports from the Insider Threat Tech Center:

Related Content

Anatomy of Insider Risk: Why You Could Be Your Worst Enemy
Organizations are typically aware of the problems they face from inside the firewall, but so many leaders focus on the risk of thieves and disgruntled employees that they leave too much room for error from the much more common insider threat: well-meaning, but negligent, insiders. Learn four steps to minimizing the risk.

Three Ways to Prevent USB Insecurity in Your Enterprise
As the advances in USB devices have made them invaluable to most business users’ workday processes, they have also exposed their organizations to three enormous risks: data loss, data theft and malware propagation. Learn how removable device policy enforcement can mitigate these risks while enabling managed use of these necessary productivity tools.

Medical Records on the Run: Protecting Patient Data with Device Control and Encryption
The convenience of putting medical records online enables healthcare professionals to provide more collaborative and knowledgeable care, but the more pervasive electronic health information becomes, the more of a risk it poses. Learn how to take advantage of the benefits of putting medical records online while effectively managing the risk.

The Great Balancing Act: Using USB Flash Drives in Government Environments
USB flash drives are a valuable tool in a government staffer’s virtual toolkit, but if left unmonitored they potentially introduce dangerous malware. Learn strategies for implementing a policy for secure USB use that will help prevent potential data loss, data theft, malware propagation and hacking.