Researchers build 8,000-strong smartphone botnet

Researchers build 8,000-strong smartphone botnet

Summary: Security researchers used the lure of an innocuous weather application to commandeer about 8,000 iPhones and Android devices in a mobile botnet.


Looking to raise awareness about the security implications of third-party apps in smartphones, a pair of security researchers used the lure of an innocuous weather application to commandeer about 8,000 iPhones and Android devices in a mobile botnet.

The research project, first discussed by Dark Reading's Kelly Jackson Higgins, was unveiled at this year's RSA conference to show how harmless-looking smartphone apps can harvest sensitive user information, including GPS coordinates and phone numbers.

The project is the brainchild of Derek Brown and Daniel Tijerina of with TippingPoint's Digital Vaccine Group.  According to the report, the experimental app links to the Weather Underground Website and provides local and other weather forecast information to its users.

follow Ryan Naraine on twitter

It was created and submitted it to app clearinghouses that offer apps for Androids and jailbroken iPhones.

It should be made clear that only jailbroken iPhones were caught in the proof-of-concept botnet.  The researchers said they avoided Apple's iPhone app store because of Apple's strict security process, which includes code signing.

From the Dark Reading article:

Within an hour of the app being set up on the SlideME and ModMyI app sites, the researchers had 126 downloads, and 702 after eight hours. "After 24 hours, we had 1,862," Tijerina says. And as of yesterday, the count was 7,800 iPhones and Androids running the app. "This was really surprising because if this was malicious code, that's a lot of bots we would control," he adds.

To prove the dangers of the mobile botnet, the report said the pair also wrote a malicious version of the weather app that runs bot code and can grab contact information, cookies, and physical addresses, and can send spam runs.

The researchers say they have no plans to release the malicious application.

Topics: Hardware, Apps, iPhone, Mobility, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Raising Awareness: Time to make a switch to an alternate O/S


    If you have just about had it with the BS Bots, viruses, trojans, BSoD/rootkits du jour, then maybe it's time consider making a switch to the safest operating system on the planet?:

    Ubuntu 9.10 Linux

    Dietrich T. Schmitz
    GNU/Linux Advocate
    • Re: Time to Switch

      Guess you failed to read the article...
      the app was targeting iPhone and Android!
      AFAIK, Ubuntu will not run on Droid or

      Epic fail...NEXT!
      • Uh oh, looks like you'd better contact Engadget, to point out their error.

        <a href=>They say it will</a>.
        • I stand corrected...

          AzuMao...tip of the hat! However...
          That was Ubuntu 7 right? Has it gone
          anywhere since 2007? I've never seen
          one, though granted I don't shop for
          smartphones that much.
          C U L8R! <{;-)
    • ^^ The above is spam

      Lets hope it gets deleted for false advertising.
      Loverock Davidson
      • Hilarious, coming from you.

        [b] [/b]
        • Indeed

          I was thinking the same thing; I'm an Ubuntu fan, sure, but I don't go around making ridiculously false claims about it (at the first post did).

          Nor, however, do I go around routinely arguing with people that obviously have a clue (as the post before yours did).

          I will, however, comment on something I like, at least from time to time (at I am doing now).
    • Huh?

      Ubuntu is far from the most secure distro.
      In fact I'd go so far as to say Linux isn't even
      the most secure kernel; that title belongs to a
      *BSD or *Solaris.

      Also, you don't need to switch to anything, just
      don't illegally hack the OS of your smartphone to
      disable the built-in protection that ships with it
      by default to prevent piracy.
      • Ding, ding, ding, shill alert!

        He's an Apple employee boys, bet he's even got a picture of Steve Jobs tacked up inside o' his garage...

        (2 points to the first person that recognizes the reference...)
        • I ain't even got a garage

          Uneasy Rider - Charlie Daniels Band

          "And I ain't even got a garage, you can call home and ask my wife."
        • No, I'm just someone who RTFAs before commenting.

          The user isn't even [i]able[/i] to install this trojan unless he first replaces key parts of the operating system on the iPhone with illegal versions that disable the built-in security systems.

          Don't get me wrong, I still think Apple stuff is overpriced.
        • Reference: Straw Man...

          As in what kind of attack this is, Wolf_Zealot. But then, most everybody
          already knows this.
      • ..

        Azumao, out of the ones that are still commonly
        used today. i would point you to some of the
        deprecated systems such as VMS though if you wanna
        get really serious about that discussion =)

        What does any of this have to do with iPhone
        botnets though?
        • Not much.

          I was replying to D. T. Schmitz's post, not Ryan Naraine's story.

          He said Ubuntu 9.10 was the most secure OS, and that the iPhone needed switched to an alternative OS to not be affected by this. Both of which are wrong.
    • I don't see no Ubuntu running on no smart-phones.

      Stupidest post of the year so far.
      • Really?

        <a href=>Then what's this?</a>
        • Looks to me

          Like an abandoned project
          The one and only, Cylon Centurion
        • Looks like a tablet based OS.

          and not a phone (Note: I said smartphone) system.

          I guess: "I [still] don't see no Ubuntu running on no smart-
    • Wow D

      This article was about smartphones. Sheesh. Ed is right when he calls you out for not reading the article before hand.
      The one and only, Cylon Centurion
      • On my screen it's Loverock calling him out.

        Surely they're not the same person?

        I mean I know they both like Windows but they're personalities seem quite different.

        p.s. Also, <a href=>the calling out was invalid</a>.