Skip to Content
Uncategorized

Smart Phone Zombie Apocalypse

A researcher creates a botnet for your pocket—a likely sign of things to come.
January 20, 2011

If you have a smart phone, online criminals may soon have your number. Smart phone malware is getting increasingly sophisticated, and now a security researcher has created software that turns a smart phone into a “zombie” that can be controlled remotely.

Georgia Weidman created the program, which controls an Android phone via short message service (SMS). She will demonstrate the software at the Shmoocon hacking conference in Washington, D.C., later this month.

Once only theoretical, real-world cell-phone viruses are becoming more common. Last August, a scam in Russia tricked users into installing malicious software on Android phones, and using the SMS functionality to send messages to a number that charged a premium fee. In late 2010, a Chinese virus for Android devices was used to steal personal data.

Botnets, or networks of computers that have been compromised by cybercriminals, have become a staple of Internet crime. They can be used to attack other systems, host attack tools, send spam, or just steal data. So far this kind of approach has been rare with mobile devices, but that seems to be changing.

“We have been taking down Internet botnets for years now, but there is not as much understanding [of telecom networking],” Weidman says. “I definitely see criminals going more and more toward using the telco’s network.”

Weidman’s attack works like this: After infecting a phone with a low-level program known as a rootkit, she uses that phone to send spam text messages, participate in a denial-of-service, or degrade the communications of the phone—all without the user knowing. The techniques apply to any smart phone, Weidman says, but she will use three different Android phones for her demo.

Today’s smart phones have multiple layers of defense. For one, they can block malicious applications. They also have managed channels, such as the Apple App Store and Google’s Android Marketplace, for applications.

As a result, Weidman says, infecting them is no easy task. “The hurdle with any malware is infecting the phone,” she says, noting that the methods used by cybercriminals usually do not work. “More of what you see of malware is people downloading applications for their phone that are infected,” she says.

Weidman’s program is one of the first known to turn smart phones into nodes of a botnet.

The problem of cybercriminals targeting consumers’ phones will only get worse, says Kevin Mahaffey, chief technology officer of mobile-security startup Lookout. Because the control of phones is so easy to turn into cash via premium text messages, criminals will be drawn to attack the devices.

“I always tend to look at the economics of the problem to ask myself whether it will continue in the future,” he says. “And because there is an incentive for attackers to compromise mobile phones, and the cost of compromising is not that high, that says it will become more prevalent in the future.”

Using the telecommunications network, rather than the Internet, for botnet control allows attackers to hide their actions from users. When the attacker does it using malicious software, the user has little chance of detecting it, says Weidman.

“When I infected a phone in my botnet—my lab botnet—with malware, the smart phone would receive a message through SMS and I would check to see if it has botnet instructions in it,” she says. “If it does, it would perform the functionality requests, and then it would swallow the message, so the user does not know that there was a message at all.”

While phones do not have the computing power of more traditional computers, they are hefty enough to handle many of the tasks that cybercriminals desire, she says. She adds that the sheer number of smart phones means that any botnet could be “a real threat.”

Keep Reading

Most Popular

Scientists are finding signals of long covid in blood. They could lead to new treatments.

Faults in a certain part of the immune system might be at the root of some long covid cases, new research suggests.

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.