Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:45 PM
Connect Directly

Researcher To Release Smartphone Botnet Proof-Of-Concept Code

Rootkit, SMS text messages used to build a botnet of smartphones

A researcher at ShmooCon DC this weekend will demonstrate a smartphone botnet spewing spam and unleash proof-of-concept code that builds a botnet out of Android and iPhone smartphones.

Georgia Weidman, an independent researcher, says her botnet attack evolved out of work she did on making an Android application send SMS text messages transparently such that the user didn't even know it was happening from his or her smartphone. "As I did more research, I [realized] if I did this in the base operating system instead of in 'userspace' where most apps are, it would be a better way to do it," she says. "If I can remotely control someone's phone, it can be part of a botnet."

While there has been plenty of smartphone research that pits one smartphone against another in an attack, she says, a more likely attack scenario would be a user unknowingly downloading an app that contains malicious code. "I think the majority of malware installations will come from a user downloading infected apps," which can easily be rigged with rootkits given the lack of sufficient vetting of most smartphone apps, she says.

Weidman says smartphone security is a lot like PC security was a decade ago because these devices are so exposed, with no built-in email filtering or firewalls, for example. "If a GSM modem receives a message, it goes to the user without any filtering," she says. "Smartphones are the ideal place for malware writers to move to because smartphones are getting more powerful and more capable all the time ... I believe this is where malware is going."

In Weidman's hack, the "master" smartphone communicates via SMS messages to the bots without the user knowing, and the bot sends SMS spam without the user knowing. Her demo at ShmooCon will use three Android phones -- one of which is the master of the botnet. The attack is silent because it uses a proxy that sits in the OS between the modem and the userspace, she says. "It sees GSM traffic before it goes to userspace ... that's where the transparency comes in. If it receives an SMS, the proxy can swallow the message so the user never sees it."

And the goal is for it to go undetected, without sapping the battery or even showing the spammed-out SMS messages. Bots get updated via the SMS text messages with shortened URLs, and spam also is spread that way from the bots to other smartphones.

Derek Brown, security researcher for HP TippingPoint's DVLabs, says SMS is a valid attack vector, but it has its limits. "At the end of the month when your detailed cell bill comes in, don't you see all of those messages to unintended locations?" Brown says. "[An attacker] would want to try something more surreptitious in the long-term."

Brown and a former colleague at DVLabs last year wrote a rogue Android app called WeatherFist that was downloaded by nearly 8,000 iPhones and Androids, demonstrating the ease of infecting smartphones with potentially malicious apps. WeatherFist, which linked to the Weather Underground website, gathered information on the users who downloaded it, such as their GPS coordinates and phone numbers.

Their app opened a socket in the background that left the phones open to communicate with their command-and-control server. "There are other ways of updating the software through the [app] marketplace," he says.

Weidman, meanwhile, says her botnet could easily be tweaked for more malicious purposes, such as stealing information from the smartphone bots. "You could know who they called, where they are, and when their phone was on or off," she says.

Her proof-of-concept code will not include any actual payloads, however. "In order to use it for tests, they need to create their own payload. I don't want it to be too easy," she says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.