If you have a smart phone, online criminals may soon have your number. Smart phone malware is getting increasingly sophisticated, and now a security researcher has created software that turns a smart phone into a “zombie” that can be controlled remotely.
Georgia Weidman created the program, which controls an Android phone via short message service (SMS). She will demonstrate the software at the Shmoocon hacking conference in Washington, D.C., later this month.
Once only theoretical, real-world cell-phone viruses are becoming more common. Last August, a scam in Russia tricked users into installing malicious software on Android phones, and using the SMS functionality to send messages to a number that charged a premium fee. In late 2010, a Chinese virus for Android devices was used to steal personal data.
Botnets, or networks of computers that have been compromised by cybercriminals, have become a staple of Internet crime. They can be used to attack other systems, host attack tools, send spam, or just steal data. So far this kind of approach has been rare with mobile devices, but that seems to be changing.
“We have been taking down Internet botnets for years now, but there is not as much understanding [of telecom networking],” Weidman says. “I definitely see criminals going more and more toward using the telco’s network.”
Weidman’s attack works like this: After infecting a phone with a low-level program known as a rootkit, she uses that phone to send spam text messages, participate in a denial-of-service, or degrade the communications of the phone—all without the user knowing. The techniques apply to any smart phone, Weidman says, but she will use three different Android phones for her demo.
Today’s smart phones have multiple layers of defense. For one, they can block malicious applications. They also have managed channels, such as the Apple App Store and Google’s Android Marketplace, for applications.
As a result, Weidman says, infecting them is no easy task. “The hurdle with any malware is infecting the phone,” she says, noting that the methods used by cybercriminals usually do not work. “More of what you see of malware is people downloading applications for their phone that are infected,” she says.
Weidman’s program is one of the first known to turn smart phones into nodes of a botnet.
The problem of cybercriminals targeting consumers’ phones will only get worse, says Kevin Mahaffey, chief technology officer of mobile-security startup Lookout. Because the control of phones is so easy to turn into cash via premium text messages, criminals will be drawn to attack the devices.
“I always tend to look at the economics of the problem to ask myself whether it will continue in the future,” he says. “And because there is an incentive for attackers to compromise mobile phones, and the cost of compromising is not that high, that says it will become more prevalent in the future.”
Using the telecommunications network, rather than the Internet, for botnet control allows attackers to hide their actions from users. When the attacker does it using malicious software, the user has little chance of detecting it, says Weidman.
“When I infected a phone in my botnet—my lab botnet—with malware, the smart phone would receive a message through SMS and I would check to see if it has botnet instructions in it,” she says. “If it does, it would perform the functionality requests, and then it would swallow the message, so the user does not know that there was a message at all.”
While phones do not have the computing power of more traditional computers, they are hefty enough to handle many of the tasks that cybercriminals desire, she says. She adds that the sheer number of smart phones means that any botnet could be “a real threat.”