Researcher To Release Smartphone Botnet Proof-Of-Concept Code

Rootkit, SMS text messages used to build a botnet of smartphones
A researcher at ShmooCon DC this weekend will demonstrate a smartphone botnet spewing spam and unleash proof-of-concept code that builds a botnet out of Android and iPhone smartphones.

Georgia Weidman, an independent researcher, says her botnet attack evolved out of work she did on making an Android application send SMS text messages transparently such that the user didn't even know it was happening from his or her smartphone. "As I did more research, I [realized] if I did this in the base operating system instead of in 'userspace' where most apps are, it would be a better way to do it," she says. "If I can remotely control someone's phone, it can be part of a botnet."

While there has been plenty of smartphone research that pits one smartphone against another in an attack, she says, a more likely attack scenario would be a user unknowingly downloading an app that contains malicious code. "I think the majority of malware installations will come from a user downloading infected apps," which can easily be rigged with rootkits given the lack of sufficient vetting of most smartphone apps, she says.

Weidman says smartphone security is a lot like PC security was a decade ago because these devices are so exposed, with no built-in email filtering or firewalls, for example. "If a GSM modem receives a message, it goes to the user without any filtering," she says. "Smartphones are the ideal place for malware writers to move to because smartphones are getting more powerful and more capable all the time ... I believe this is where malware is going."

In Weidman's hack, the "master" smartphone communicates via SMS messages to the bots without the user knowing, and the bot sends SMS spam without the user knowing. Her demo at ShmooCon will use three Android phones -- one of which is the master of the botnet. The attack is silent because it uses a proxy that sits in the OS between the modem and the userspace, she says. "It sees GSM traffic before it goes to userspace ... that's where the transparency comes in. If it receives an SMS, the proxy can swallow the message so the user never sees it."

And the goal is for it to go undetected, without sapping the battery or even showing the spammed-out SMS messages. Bots get updated via the SMS text messages with shortened URLs, and spam also is spread that way from the bots to other smartphones.

Derek Brown, security researcher for HP TippingPoint's DVLabs, says SMS is a valid attack vector, but it has its limits. "At the end of the month when your detailed cell bill comes in, don't you see all of those messages to unintended locations?" Brown says. "[An attacker] would want to try something more surreptitious in the long-term."

Brown and a former colleague at DVLabs last year wrote a rogue Android app called WeatherFist that was downloaded by nearly 8,000 iPhones and Androids, demonstrating the ease of infecting smartphones with potentially malicious apps. WeatherFist, which linked to the Weather Underground website, gathered information on the users who downloaded it, such as their GPS coordinates and phone numbers.

Their app opened a socket in the background that left the phones open to communicate with their command-and-control server. "There are other ways of updating the software through the [app] marketplace," he says.

Weidman, meanwhile, says her botnet could easily be tweaked for more malicious purposes, such as stealing information from the smartphone bots. "You could know who they called, where they are, and when their phone was on or off," she says.

Her proof-of-concept code will not include any actual payloads, however. "In order to use it for tests, they need to create their own payload. I don't want it to be too easy," she says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5