Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:45 PM
Connect Directly

Researcher To Release Smartphone Botnet Proof-Of-Concept Code

Rootkit, SMS text messages used to build a botnet of smartphones

A researcher at ShmooCon DC this weekend will demonstrate a smartphone botnet spewing spam and unleash proof-of-concept code that builds a botnet out of Android and iPhone smartphones.

Georgia Weidman, an independent researcher, says her botnet attack evolved out of work she did on making an Android application send SMS text messages transparently such that the user didn't even know it was happening from his or her smartphone. "As I did more research, I [realized] if I did this in the base operating system instead of in 'userspace' where most apps are, it would be a better way to do it," she says. "If I can remotely control someone's phone, it can be part of a botnet."

While there has been plenty of smartphone research that pits one smartphone against another in an attack, she says, a more likely attack scenario would be a user unknowingly downloading an app that contains malicious code. "I think the majority of malware installations will come from a user downloading infected apps," which can easily be rigged with rootkits given the lack of sufficient vetting of most smartphone apps, she says.

Weidman says smartphone security is a lot like PC security was a decade ago because these devices are so exposed, with no built-in email filtering or firewalls, for example. "If a GSM modem receives a message, it goes to the user without any filtering," she says. "Smartphones are the ideal place for malware writers to move to because smartphones are getting more powerful and more capable all the time ... I believe this is where malware is going."

In Weidman's hack, the "master" smartphone communicates via SMS messages to the bots without the user knowing, and the bot sends SMS spam without the user knowing. Her demo at ShmooCon will use three Android phones -- one of which is the master of the botnet. The attack is silent because it uses a proxy that sits in the OS between the modem and the userspace, she says. "It sees GSM traffic before it goes to userspace ... that's where the transparency comes in. If it receives an SMS, the proxy can swallow the message so the user never sees it."

And the goal is for it to go undetected, without sapping the battery or even showing the spammed-out SMS messages. Bots get updated via the SMS text messages with shortened URLs, and spam also is spread that way from the bots to other smartphones.

Derek Brown, security researcher for HP TippingPoint's DVLabs, says SMS is a valid attack vector, but it has its limits. "At the end of the month when your detailed cell bill comes in, don't you see all of those messages to unintended locations?" Brown says. "[An attacker] would want to try something more surreptitious in the long-term."

Brown and a former colleague at DVLabs last year wrote a rogue Android app called WeatherFist that was downloaded by nearly 8,000 iPhones and Androids, demonstrating the ease of infecting smartphones with potentially malicious apps. WeatherFist, which linked to the Weather Underground website, gathered information on the users who downloaded it, such as their GPS coordinates and phone numbers.

Their app opened a socket in the background that left the phones open to communicate with their command-and-control server. "There are other ways of updating the software through the [app] marketplace," he says.

Weidman, meanwhile, says her botnet could easily be tweaked for more malicious purposes, such as stealing information from the smartphone bots. "You could know who they called, where they are, and when their phone was on or off," she says.

Her proof-of-concept code will not include any actual payloads, however. "In order to use it for tests, they need to create their own payload. I don't want it to be too easy," she says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-28
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
PUBLISHED: 2020-05-28
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
PUBLISHED: 2020-05-28
Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time wi...
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
PUBLISHED: 2020-05-28
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.