Smartphone app botnet experiment blows up a storm
Security researchers fooled nearly 8,000 iPhone and Android users into joining a mobile smartphone "botnet" under the guise of installing an apparently innocuous weather app. Derek Brown and Daniel Tijerina of TippingPoint's Digital Vaccine Group carried out the exercise in the run-up to a presentation at last week's RSA …
Security experts have nothing better to do than tell us "DO NOT TRUST ANYTHING. EVER!!!!!"
You can't even trust Security Experts now.
The reason social engineering is so successful in this era is because technology can be acquired so easily.
Mostly everyone has a computer in their house whether they know how to use it or not.
I could probably write a virus and call it "cr4zy h0rs3 pr0n!" and still infect thousands.
At least we know the boundaries of human stupidity haven't been reached yet..
A whole new generation of gullible souls to feed the conmen of the world.
This reminds me of something or other, and I've now lost my thread, and can't be arsed to tell you.
It would have been good though, trust me.
Producing an app that fraudulently advertised itself as a weather app while subversively installing a botnet.
Even as a research project this sounds less than legal
http://www.opsi.gov.uk/acts/acts1990/ukpga_19900018_en_1#pb1-l1g2
No, the weather app was genuine. As the article states, they created but didn't distribute a malicious version of the application.
So, if I'm understanding it correctly, anyone who has every created an iPhone/Android application can then go and develop (but not release) a malicious version and claim that they've proved something clever about social engineering or security or something.
I would be more concerned if such an app did make it onto an official marketplace. This is the kind of thing that official marketplaces are in the position to control.
If you believe that the monopoly marketplaces exist to promote security rather than guard the monopoly.
If the proof of concept has been this easy and succesful, it's only a matter of time before someone gets one on a fishal marketplace. Hacker honour is at stake after all. Mind you, it will probably open a whole new business area - virus scanners for fanboi fones.
Who said it couldn't make an artificial monopoly AND promote security at the same time?
Regarding Apple's App store, you do have to provide a slew of information to Apple if you're either 1) registering as a company or 2) want to charge for an app or in-app purchases. So they know where to send the cops if need be. True, true, there is identity theft, but it's still more protection than random web links.
Then there is the little-discussed but not-yet used remote killswitch, in that the phone does check a blacklist, in case some malware did pop up. It's worth noting that the killswitch hasn't been activated at all so far, not even against things like cydia, tethering apps, wifi-apps, etc.
So when malware happens, the cops have a trail to follow, and Apple can remove it from phones faster than any virus scanner could.
"If the proof of concept has been this easy and succesful, it's only a matter of time before someone gets one on a fishal marketplace."
Unlikely - all the apps are vetted before they are allowed onto the app stores.
You'd think that Google/Apple would notice any application that was trying to "phone home".
Of course, if your phone is cracked and you're downloading unsanctioned software then you don't have that important safeguard...
Surely this sort of 'research' can only serve to reinforce Apple's argument for a controlled software marketplace?
The good android folks won't let you send e-mail without the user's explicit consent - pressing send on a message you can see on the screen.
There is (almost) no way in Android for a developer to send e-mail through the user's e-mail or gmail accounts, or any other standard mail server. All Java and android api's related to sending e-mail are diabled., You can code with them and either Eclipse will blow up and refuse to compile the app, or the app compiles and it blows up (FC's in android speak) when you run it on the device.
(need a chocolate factory icon)
Even if you code it yourself to read the users SMTP server information and telnet in on port 23?
This is why Apple (supposedly) trolls your app code. I wonder if they build your code themselves and post it on the app store, or if they just take your binary file as granted....
They're iPhone users, they deserve everything they get.
They are *jailbroken* iphone users, ergo, they are the (allegedly) more technically adept types and not the "typical fanboi" users that you are attempting to disparage.
Where can one buy an iPhone with Android OS then?
This applies to any smartphone they released the app on, not just the iPhone.
"They're iPhone users, they deserve everything they get."
So Andriod now works on the iPhone, does it? Please can you tell me what other miracles have happened in your reality?
...for making the app store look like a good idea :(
When you install an app on Android the system prompts you with a list of permissions that the application is requesting.
So a Weather applet might need access to the internet and possibly your coarse location data, but if when you install it you grant permissions for it to read your contacts, make phone calls, send email and access the GPS, then really, you only have yourself to blame.
Sensible permissions -and actually reading the screen at install time actually does a lot of good -if the application requests access to things it shouldn't, then don't install them.
Slappy above says "Thanks ...for making the app store look like a good idea :(" -it doesn't. The App store just gets users used to trusting everything rather than questioning what they are installing; what it advertises to do and what it actually requests access to -assuming your OS will let you see that.
Actually, the thing that really farks me off is that none of this actually makes sense. Even if they were distributing by both the Android and iTunes markets then obviously the clean version would install and when they upgraded to version 2.0-dodgy then it would make it obvious that something odd was going on (on Android) or you would hope this is the sort of shit gets picked up in the Apple review process.
Devs write program and get some people to install it. People install it. Devs point out that it could have been a virus. Idiots get free advertising.
"Devs point out that it could have been a virus"
Umm but they DID write one that WAS a virus and just chose not to send it out. If they had, things would have been different - they would have been in legal trouble...
The point is that they have proof of concept code and an demonstrably effective release mechanism. What more can you legally prove?
Mock how difficult the Symbian Platform Security model makes life for developers all you want but this has yet to happen after about 5 years of being deployed in the field, AFAIK. :-)
Sign up, sign up for The Register's weekly IT security newsletter - click here
