For some time now, experts in the information security community have been concerned about the possibility of  mobile phone botnets: now it appears these fears may have been well-grounded, as suggested in the article below.   While there are billions of desktop and portable computers in the world, there are billions more mobile phones.  As the computing power of mobile smartphones increases, they have been transformed from simple hand-held devices used solely for placing voice calls into highly capable full-fledged portable computers.  In fact today’s iPhone likely has more processing power than most desktop machines had just a few short years ago.  These developments, driven by Moore’s law, have created a fundamental shift in the nature of computing and how people access the global power of the Internet.

As portable computing devices become more powerful, end-users are storing serious amounts of information on them.  While one was unlikely to “lose” a desktop computer sitting in one’s living room, such is not the case with a mobile phone.  Given the vast amounts of personal data that are stored on smartphones, not to mention the associated banking “aps,” social networking “aps” and even airplane ticket “aps,” these devices pose a significant security threat to end-users, should the devices be lost, stolen or have their operating system security compromised.  Mobile phone security software is a nascent industry and few if any utilize anti-virus technologies for their mobile phone’s operating system.

The incident below shows just how easy it is to infect a mobile phone with malware.  While the author makes reference to mobile phone botnets in his article, unfortunately, it is not an idea which is well-developed by him.  That said, the potential is rather self-evident.  The propogation of mobile phone malware could happen very quickly and millions if not billions of mobile phones could find themselves unknowningly part of an international bot-network.

The threat is not to be taken lightly for a number of reasons.  Firstly, given the vast number of mobile phone devices, the sheer number of potential new attack vectors directed at any particularly target would be staggering.  In addition, given the trend towards mobile computing, (witness the recent birth of the iPad), security will have to be more seriously considered by those who develop and market these devices.

In a world where an increasing number of devices is being given access to the Internet, including cars, refrigerators and even medically-implanted devices, the potential exists for next generation botnets to encompass a wide variety of gadgets where little, if any attention has been paid to security.

In some parts of the world, including most of the developing world, mobile phones will be the predominant form of accessing the Internet

Sneaky app shows potential for smartphone botnets

by Jim Giles, Correspondent
The New Scientist

March 5, 2010

Security researchers have installed potentially dangerous software on thousands of smartphones to illustrate a new security threat. They believe their creation is the first ever demonstration of a mobile “botnet”.

Botnets are networks of computers that have been broken into and brought under the control of a malicious hacker. The networks, which are used to send spam and steal online banking passwords, include millions of “zombie” machines worldwide.

Smartphones such as the iPhone and devices running the Android operating system have not previously been targeted by botnet owners. But Derek Brown and Danny Tijerina at TippingPoint, a computer security firm in Austin, Texas, have now shown that it would be relatively easy to do so.

Brown and Tijerina created a smartphone application called WeatherFist, which purported to be a weather forecasting service, and uploaded the software to a variety of online “app” stores. Around 7800 users have downloaded WeatherFist onto their phones in the last few months, Brown and Tijerine told the RSA Conference in San Francisco.

The app does indeed provide weather forecasts. But the app also secretly passed users’ locations and phone numbers to a server controlled by Brown and Tijerina. The pair created a second version of the software, called WeatherFistBadMonkey, able to send names, phone numbers and addresses from a phone’s contacts list to the server too.

That version was only tested on Brown and Tijerina’s own phones. Such software could also potentially be “upgraded” to steal files from the phone, log keyboard entries or send emails, say Brown and Tijerina.

iPhone users are much better protected against such attacks. Most users only download apps from the official Apple app store, which is monitored for dangerous software. Brown and Tijerina submitted WeatherFist to ModMyi, an alternative app store that caters to iPhones that have been modified to accept software not on the official app store. This modification, known as jailbreaking, is strongly discouraged by Apple.

Phones using Google’s Android operating system, however, do not need to be jailbroken to accept unofficial software. Over 90 per cent of WeatherFist downloads were to Android phones. “The average user is not tech-savvy enough to police the apps they put on their phone,” says Brown.

A Google spokesperson says that Android users receive a security warning when they download apps from sites other than the official Android Market. The Android Market itself is also monitored for malicious content.