Two researchers at TippingPoint’s Digital Vaccine Group have duped thousands of iPhone and Android smartphone users into joining a mobile botnet by spreading a seemingly innocuous weather application.
According to a report by Kelly Jackson Higgins of DarkReading, Derek Brown and Daniel Tijerina revealed at the RSA Conference last week how they had created a smartphone application called WeatherFist which grabbed information from users, including their GPS co-ordinates and telephone numbers, before displaying local weather information.
Tijerina and Brown chose not to distribute their application via the official iPhone and Android application stores, presumably because they believed it might not be successful.
Instead they distributed the WeatherFist application via third party app markets like Cydia, SlideME and Modmyi, meaning that it could only be installed on jailbroken iPhones or Android devices where users had specifically given permission for non-approved applications to be run.
Almost 8000 smartphones had been recruited into Brown and Tijerina’s experimental botnet before the duo went public with their experiment.
“So what?”, you might ask, and with good reason. After all, it’s understandable that a mobile phone app might want to gather your GPS location and convert it into a zip code in order to provide a useful weather forecast.
However, the researchers claim that they also wrote a malicious version of their WeatherFist application, which they dubbed WeatherFistBadMonkey. According to the DarkReading report, the malicious WeatherFistBadMonkey app behaves more like traditional botnet code, stealing information and capable of distributing spam.
Fortunately, Tijerina and Brown say that they have not distributed WeatherFistBadMonkey, and have only run the code on their own smartphones.
In explanation for their behaviour, the TippingPoint researchers told Dark Reading that they wanted to prove how an app could behave like much of the traditional Windows malware we see, stealing information, and allowing hackers to gain remote control of hijacked devices.
However, didn’t we see an example of an iPhone botnet active on jailbroken iPhones last November? The Duh worm came hot on the heels of the Ikee worm, the first in-the-wild malware that we had seen for jailbroken iPhones.
It isn’t clear to me why the TippingPoint researchers felt the need to distribute their app to prove something that was already known to be possible, and indeed had been done by cybercriminals in a real-life situation.
Software code is software code – it can do cool stuff and it can do uncool stuff. It makes no difference whether you are running your app on a desktop PC or a smartphone, the program you are running can do anything which the operating system allows including – sometimes – bad stuff.
None of us should need security researchers to conduct experiments like this to prove what we should already know.