Two researchers from TippingPoint’s Digital Vaccine Group duped thousands of iPhone and Android smartphone users into joining a mobile botnet by spreading a seemingly innocuous weather application. Kelly Jackson Higgins at DarkReading writes that Derek Brown and Daniel Tijerina created a smartphone application called WeatherFist. Over 8,000 users downloaded WeatherFist, which grabbed information from users, including their GPS co-ordinates and telephone numbers, before displaying local weather information.
The researchers chose not to distribute their application via the official iPhone and Android application stores, rather 
they distributed the WeatherFist application via third-party app markets like Cydia, SlideME and Modmyi. The apps could only be installed on jailbroken iPhones or Android devices where users had specifically given permission for non-approved applications to be run. “We wanted people to feel comfortable using the application and putting it on their phone so we would have permission to do a lot of things like pass GPS coordinates, write to the file system, and surf,” Brown told DarkReading.
At the 2010 RSA Security Conference the researchers claimed they also wrote a malicious version of their WeatherFist application, which they dubbed WeatherFistBadMonkey. According to the DarkReading report, the malicious app behaves more like traditional botnet code, stealing information and capable of distributing spam. “We could enable or disable system services [with a malicious app],” Brown says. The TippingPoint researchers told Dark Reading they wanted to prove how an app could behave like much of the traditional Windows malware which, steals information, and allows hackers to gain remote control of hijacked devices.
rb-
Smartphones are a part of today’s network and Brown and Tijerina claim that the results of this research shows a security hole in networks. Some of the ways to plug these new holes are to:
- Update policies for the proper use of smartphones
- Prohibit unsafe modifications of smartphones
- Allow apps only from reputable app stores
- Provide training on smartphone application usage
- Lock down the Wi-Fi network settings to keep smartphones from ‘phoning home’ any information that shouldn’t leave the firm.
