Looking to raise awareness about the security implications of third-party apps in smartphones, a pair of security researchers used the lure of an innocuous weather application to commandeer about 8,000 iPhones and Android devices in a mobile botnet.
The research project, first discussed by Dark Reading's Kelly Jackson Higgins, was unveiled at this year's RSA conference to show how harmless-looking smartphone apps can harvest sensitive user information, including GPS coordinates and phone numbers.
The project is the brainchild of Derek Brown and Daniel Tijerina of with TippingPoint's Digital Vaccine Group. According to the report, the experimental app links to the Weather Underground Website and provides local and other weather forecast information to its users.
It was created and submitted it to app clearinghouses that offer apps for Androids and jailbroken iPhones.
It should be made clear that only jailbroken iPhones were caught in the proof-of-concept botnet. The researchers said they avoided Apple's iPhone app store because of Apple's strict security process, which includes code signing.
Within an hour of the app being set up on the SlideME and ModMyI app sites, the researchers had 126 downloads, and 702 after eight hours. "After 24 hours, we had 1,862," Tijerina says. And as of yesterday, the count was 7,800 iPhones and Androids running the app. "This was really surprising because if this was malicious code, that's a lot of bots we would control," he adds.
To prove the dangers of the mobile botnet, the report said the pair also wrote a malicious version of the weather app that runs bot code and can grab contact information, cookies, and physical addresses, and can send spam runs.
The researchers say they have no plans to release the malicious application.