Smart Phone Zombie Apocalypse

A researcher creates a botnet for your pocket—a likely sign of things to come.

If you have a smart phone, online criminals may soon have your number. Smart phone malware is getting increasingly sophisticated, and now a security researcher has created software that turns a smart phone into a “zombie” that can be controlled remotely.

Georgia Weidman created the program, which controls an Android phone via short message service (SMS). She will demonstrate the software at the Shmoocon hacking conference in Washington, D.C., later this month.

Once only theoretical, real-world cell-phone viruses are becoming more common. Last August, a scam in Russia tricked users into installing malicious software on Android phones, and using the SMS functionality to send messages to a number that charged a premium fee. In late 2010, a Chinese virus for Android devices was used to steal personal data.

Botnets, or networks of computers that have been compromised by cybercriminals, have become a staple of Internet crime. They can be used to attack other systems, host attack tools, send spam, or just steal data. So far this kind of approach has been rare with mobile devices, but that seems to be changing.

“We have been taking down Internet botnets for years now, but there is not as much understanding [of telecom networking],” Weidman says. “I definitely see criminals going more and more toward using the telco’s network.”

Weidman’s attack works like this: After infecting a phone with a low-level program known as a rootkit, she uses that phone to send spam text messages, participate in a denial-of-service, or degrade the communications of the phone—all without the user knowing. The techniques apply to any smart phone, Weidman says, but she will use three different Android phones for her demo.

Today’s smart phones have multiple layers of defense. For one, they can block malicious applications. They also have managed channels, such as the Apple App Store and Google’s Android Marketplace, for applications.

As a result, Weidman says, infecting them is no easy task. “The hurdle with any malware is infecting the phone,” she says, noting that the methods used by cybercriminals usually do not work. “More of what you see of malware is people downloading applications for their phone that are infected,” she says.

Weidman’s program is one of the first known to turn smart phones into nodes of a botnet.

The problem of cybercriminals targeting consumers’ phones will only get worse, says Kevin Mahaffey, chief technology officer of mobile-security startup Lookout. Because the control of phones is so easy to turn into cash via premium text messages, criminals will be drawn to attack the devices.

“I always tend to look at the economics of the problem to ask myself whether it will continue in the future,” he says. “And because there is an incentive for attackers to compromise mobile phones, and the cost of compromising is not that high, that says it will become more prevalent in the future.”

Using the telecommunications network, rather than the Internet, for botnet control allows attackers to hide their actions from users. When the attacker does it using malicious software, the user has little chance of detecting it, says Weidman.

“When I infected a phone in my botnet—my lab botnet—with malware, the smart phone would receive a message through SMS and I would check to see if it has botnet instructions in it,” she says. “If it does, it would perform the functionality requests, and then it would swallow the message, so the user does not know that there was a message at all.”

While phones do not have the computing power of more traditional computers, they are hefty enough to handle many of the tasks that cybercriminals desire, she says. She adds that the sheer number of smart phones means that any botnet could be “a real threat.”

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.
Subscribe today

Uh oh–you've read all five of your free articles for this month.

Insider Premium

$179.95/yr US PRICE

More from undefined

Want more award-winning journalism? Subscribe and become an Insider.

  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Join in and ask questions as our editors talk to innovators from around the world.

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

You've read of free articles this month.