Last week at the RSA Conference, my colleague Derek Brown and I, presented findings from a research project titled MOBOTS: Pocketful of Pwnage, which was designed to show how easy it would be to create a large mobile botnet. Please note that we did not actually create a botnet; we simply presented results of two different experiments that showed how easy it would be to create one.
Despite the lack of actual drama (i.e. no botnet), the session has generated quite a bit of interest, so we wanted to take the opportunity to share the results with those that weren’t able to attend.
Background and Research
As stated, the point of this research was to show just how easily and quickly a hacker could amass a large army of mobile bots. The experiment involved two key pieces:
A control application: WeatherFist was a legitimate weather application that users could download to their smartphones. WeatherFist used a technique that enables the smartphone to “phone in” the users’ GPS coordinates to the application’s server so users can get accurate weather for their exact location. This application was posted – with links to a full EULA – on common app sharing sites like ModMyI (iPhone) and SlideMe (Android).
A test application: WeatherFistBadMonkey was a “malicious” version of the same application designed to look like – and on the surface, function like – the WeatherFist application. WeatherFistBadMonkey was created as a proof-of-concept to demo what a malicious application may do. WeatherFistBadMonkey used the same technique to “phone in” the GPS coordinates, but also performed other functions to convert the phone into a bot and submit sensitive user data to the application server. The WeatherFistBadMonkey application was not distributed publicly. It was tested solely on phones purchased for the experiment. Further, the purchased “test” phones were always, and continue to be, in our possession.
The control application, WeatherFist, received a lot of promotion on app sharing sites and was further hyped through the social networking machine that drives people to those sites. At the end of the project, 20,000 users had viewed the application and more than 8,000 actually downloaded it.
Again, it’s important to note that we did not actually create a mobile botnet. Instead we used these two experiments to show how easy it would be to 1) amass a large number of users if one wanted to create a botnet; and 2) create a legitimate-looking application that would render a mobile device a bot.
Smartphones are a critical piece of today’s network fabric and the results of this research show a gaping hole in the security of those networks. Organizations can use these results to create policy changes for appropriate use of smartphones in business settings, as well as provide better training on smartphone application usage. This further highlights the importance of locking down the enterprise network to keep smartphones from ‘phoning home’ any information that shouldn’t leave the data center.
The overarching goal was to highlight the security risks that continue to threaten the enterprise landscape and I think the results of this research did just that.
* Danny Tijerina is a security researcher within TippingPoint's DVLabs focusing on BotNets, malware/spyware, code obfuscation techniques, binary analysis techniques, and P2P protocol analysis.