Tech – for Everyone

Tech Tips and Tricks & Advice – written in plain English.

Next Great App for Android, iPhone –> Rootkit

Rootkit, SMS text messages used to build a botnet of smartphones

The “hot” tech items to own these days are the (not inexpensive) iPhone and Android “smart phone” devices. (If you doubt that, ask yourself why does the news infotainment departments send reporters and camera crews to film lines of people standing outside the Apple Store when a new model comes out?)

These phones are really not phones anymore, but mini-computers – which happen to make cellular phones calls. They are Internet-connected, so they can send/receive e-mail, text and ‘chat’, and download files.. such as movies. They contain address books of your friends and family… In short, they have everything a cyber-criminal wants to target.

In the interest of making the world a better place, “a researcher at ShmooCon DC this weekend will demonstrate a smartphone botnet spewing spam, and unleash proof-of-concept code that builds a botnet out of Android and iPhone smartphones.

Yes, that’s right. A “researcher” will show us all how it’s done, and provide the code.

Georgia Weidman, an independent researcher, says her botnet attack evolved out of work she did on making an Android application send SMS text messages transparently such that the user didn’t even know it was happening from his or her smartphone. “As I did more research, I [realized] if I did this in the base operating system instead of in ‘userspace’ where most apps are, it would be a better way to do it,” she says. “If I can remotely control someone’s phone, it can be part of a botnet.”

While there has been plenty of smartphone research that pits one smartphone against another in an attack, she says, a more likely attack scenario would be a user unknowingly downloading an app that contains malicious code. “I think the majority of malware installations will come from a user downloading infected apps,” which can easily be rigged with rootkits given the lack of sufficient vetting of most smartphone apps, she says.

Well.. now that all someone has to do is copy>paste the code, yeah, she’s right. Invisible viruses that turn your smart phone into relay stations for spammers — sending us come on’s for V1@gra and C1al1s, and virus-laden links and attachments are only, I estimate, weeks away.

… and before you get too angry at this particular person, there is a whole industry of people doing this “research”, and several conventions have been going on for years. I believe that (some of) these people actually believe they are doing a good thing.

And maybe they would be.. if they only released the code to the affected device (or software) manufacturers and developers. But you don’t get rich or famous for that. (Maybe you heard about the “teen hacker” who got hired after writing viruses that attacked Twitter? There’s a lot of that kind of idiocy in tech..)

Here is the entire Dark Reading article, Researcher To Release Smartphone Botnet Proof-Of-Concept Code. I suggest you read it. Particularly if you own a smart phone.

In case you don’t know what a “botnet” is, http://en.wikipedia.org/wiki/Botnet
Or why a “rootkit” is the worst kind of virus, http://en.wikipedia.org/wiki/Rootkit

Does your smart phone have an antivirus? A firewall? Maybe you want those things?
Maybe it’s important to know that the apps at the app store are not checked (aka “vetted”) for malware? Doesn’t that *smell*?

IMHO, there is something wrong with this whole deal. Top to bottom.

Related:
* iPhone Users Are About to Be Screwed Over. The addition of the NFC chip to the iPhone isn’t for easy credit card purchases, but so the phone companies can control your financial transactions. Be warned. ~ By John C. Dvorak

“There has been a lot of talk about the addition of an NFC (near field communication) chip to the next-gen iPhone. This will allow the phone to be used as a swipe-it-yourself credit card. I consider this technology to be the most onerous ever.”

* CNet’s roundup of security apps for Android.

Copyright 2007-2011 © “Tech Paul” (Paul Eckstrom). All Rights Reserved.

>> Folks, don’t miss an article! To get Tech – for Everyone articles delivered to your e-mail Inbox, click here, or to subscribe in your RSS reader, click here. <<

January 31, 2011 - Posted by | advice, Apple, cellular, computers, cyber crime, gadgets, Google, hackers, hardware, Internet, iPhone, mobile, News, rootkits, security, tech | , , , , , , , , , , , , , , , , , ,

8 Comments »

  1. Paul,

    Getting “angry” with security researchers, seems both shortsighted and counterproductive, to me.

    Rather than vilify those who point out security shortcomings, we should be encouraging MORE research. Particularly by independent researchers who have no built-in loyalties in keeping such issues hidden.

    It’s foolish to believe that cyber criminals aren’t engaged in exactly the same type of “research”.

    The fact is, security shortcomings are brought out of the closet far more often by independent researchers, than by product developers. Just one small example – Microsoft and every version of IE, including IE 9.

    Anyone who doesn’t understand that the “hack”, referred to in the linked article is already well understood by cyber crooks, has watched the Internet/connected devices security train, pull out of the station a long time ago.

    Bill

    Like

    Comment by Bill Mullins | January 31, 2011 | Reply

    • Bill Mullins,
      I certainly see your point, and acknowledge that vulnerability research is vitally important. (I was hoping someone would make it, actually.)

      I also acknowledge that sometimes, the only way the device manufacturers and software writers took any action was when the hack was made public (Apple is one that is known for being slow/non-responsive to published vulnerabilities, for just one example). The researcher had informed them privately, and nothing was done.

      Also, I applaud the device manufacturers/software companies that have taken to sponsoring “bug bounty” programs. (Which reward researchers for the hacks they find.)

      But I am highly bothered by those who — whatever their motivation may be — leap straight to the “here’s the exploit code” (or working hack) . In my mind at least, this is very much providing arms and ammunition to the enemy. Yes, I can see the “big picture”, and see how in the long run, the publication may change things and make us safer. But that doesn’t mean that in the meantime, a lot of people aren’t going to be hurt.
      And that bothers me.

      As always, it is great to see your name here, and thank you for your expert input.

      Folks, if you are not familiar with Bill Mullins, he writes a series which is not only Top Notch (and was the first website I listed in my Blogroll) but should be “required reading” for anyone using the Internet these days.

      If you have not done so, or done so recently, please visit Tech Thoughts, won’t you? (find out why I call him the “hardest working man in the tech blog business”..)

      Like

      Comment by techpaul | January 31, 2011 | Reply

  2. Soon we may see slower smartphones due to real time av. Common sense is the most effective protection.

    Like

    Comment by Murugesan | January 31, 2011 | Reply

    • Murugesan,
      Yes. And, yes.

      And, hopefully, phones that do not automatically download email and SMS.. etc., etc., etc..
      As well as phones fast enough to handle a heuristic AV/firewall w/o any noticeable slowdowns. The AV and phone makers are working on this already. Because, unless it’s “dumb”, an Internet-connected device should have AV.

      Like

      Comment by techpaul | January 31, 2011 | Reply

  3. Paul,

    I see the different sides of this topic, and agree with everything said by all. It’s good to advertise exploits so the manufacturers will be compelled to act.

    However, I feel that providing the actual hack code may add some budding young hackers or cybercriminal wannabes to the mix. There’s no need for them to hang around a known hacker chat room and maybe get caught downloading malicious code, let’s supply it for them!

    Sure, let the media know what you have discovered and make your presentation to show how well it works, but release the complete code to the manufacturers and engineers, not to everyone.

    To make an extreme analogy, if a researcher discovered a new high explosive and wanted national acclaim, a demonstration would do the job fine. The actual chemical formula shouldn’t be made available for everyone to try. And, I think it is that serious.

    It’s too tempting for some folks, especially young kids. Most of the Denial of Service attacks and other similar “bots” are written by 10 to 14 year old kids that are just being mischievous or looking for some acknowledgement from their peers. We don’t need to give them ammunition…

    Like

    Comment by KsTinMan | February 1, 2011 | Reply

    • KsTinMan,
      The ‘straw that broke the camel’s back’ for me was — some “researcher” decided Facebook and other sites who don’t use SSL for logins needed a wake-up call so he released a Add-on for Firefox, called “Firesheep”. See, Firesheep Firefox Plugin Allows Users To Steal Passwords & Hack Facebook Accounts.
      Anyone can be a “hacker” in a couple of clicks…

      And I was not the only one to say, “hey, wait a minute now..”

      Like

      Comment by techpaul | February 1, 2011 | Reply

  4. I have been absent for some time, but now I remember why I used to love this website. Thanks , I will try and check back more often. How frequently you update your web site?

    Like

    Comment by Nicholas Hooper | February 13, 2011 | Reply

    • Nicholas Hooper,
      I usually post something everyday. There (currently) are over 1,300 articles here.

      Like

      Comment by techpaul | February 13, 2011 | Reply


Post your Comment/Question

« Previous | Next »