A pair of researchers in RSA 2010 security conference have demonstrated the feasibility of building a botnet using smartphones such as the iPhone or Android-like devices.
Derek Brown and Daniel Tijerina, security researchers with TippingPoint’s Digital Vaccine Group, presented their findings from a research project called MOBOTS: Pocketful of Pwnage, which was designed to show how easy it would be to create a large mobile botnet. They wrote an application titled WeatherFist, which fetched local and other weather forecast information for its users from the Weather Underground Website. To do so, the program uses a “phone home” technique to submit the user’s current GPS position and other specific data to a back-end server. That piece of software, available to the public, was downloaded by thousands of users. Interestingly, they distributed it outside official channels, i.e. Apple’s store and Android’s marketplace, and, despite the fact that is was not signed by a trustworthy authority, users decided to install it on their phones.
In the end, the project managed to attract more than 8000 smartphones, running their proof of concept arbitrary code and contacting their test server on a regular basis. That alone presented an “obedient army” of mobile devices which could, on malicious intentions, be turned into a malevolent botnet.
