Smartphone app botnet experiment blows up a storm Security researchers fooled nearly 8,000 iPhone and Android users into joining a mobile smartphone "botnet" under the guise of installing an apparently innocuous weather app. Derek Brown and Daniel Tijerina of TippingPoint's Digital Vaccine Group carried out the exercise in the run-up to a presentation at last week's RSA …
The reason social engineering is so successful in this era is because technology can be acquired so easily.
Mostly everyone has a computer in their house whether they know how to use it or not.
I could probably write a virus and call it "cr4zy h0rs3 pr0n!" and still infect thousands.
At least we know the boundaries of human stupidity haven't been reached yet..
A whole new generation of gullible souls to feed the conmen of the world.
This reminds me of something or other, and I've now lost my thread, and can't be arsed to tell you.
It would have been good though, trust me.
No, the weather app was genuine. As the article states, they created but didn't distribute a malicious version of the application.
So, if I'm understanding it correctly, anyone who has every created an iPhone/Android application can then go and develop (but not release) a malicious version and claim that they've proved something clever about social engineering or security or something.
If you believe that the monopoly marketplaces exist to promote security rather than guard the monopoly.
If the proof of concept has been this easy and succesful, it's only a matter of time before someone gets one on a fishal marketplace. Hacker honour is at stake after all. Mind you, it will probably open a whole new business area - virus scanners for fanboi fones.
Who said it couldn't make an artificial monopoly AND promote security at the same time?
Regarding Apple's App store, you do have to provide a slew of information to Apple if you're either 1) registering as a company or 2) want to charge for an app or in-app purchases. So they know where to send the cops if need be. True, true, there is identity theft, but it's still more protection than random web links.
Then there is the little-discussed but not-yet used remote killswitch, in that the phone does check a blacklist, in case some malware did pop up. It's worth noting that the killswitch hasn't been activated at all so far, not even against things like cydia, tethering apps, wifi-apps, etc.
So when malware happens, the cops have a trail to follow, and Apple can remove it from phones faster than any virus scanner could.
"If the proof of concept has been this easy and succesful, it's only a matter of time before someone gets one on a fishal marketplace."
Unlikely - all the apps are vetted before they are allowed onto the app stores.
You'd think that Google/Apple would notice any application that was trying to "phone home".
Of course, if your phone is cracked and you're downloading unsanctioned software then you don't have that important safeguard...
The good android folks won't let you send e-mail without the user's explicit consent - pressing send on a message you can see on the screen.
There is (almost) no way in Android for a developer to send e-mail through the user's e-mail or gmail accounts, or any other standard mail server. All Java and android api's related to sending e-mail are diabled., You can code with them and either Eclipse will blow up and refuse to compile the app, or the app compiles and it blows up (FC's in android speak) when you run it on the device.
(need a chocolate factory icon)
When you install an app on Android the system prompts you with a list of permissions that the application is requesting.
So a Weather applet might need access to the internet and possibly your coarse location data, but if when you install it you grant permissions for it to read your contacts, make phone calls, send email and access the GPS, then really, you only have yourself to blame.
Sensible permissions -and actually reading the screen at install time actually does a lot of good -if the application requests access to things it shouldn't, then don't install them.
Slappy above says "Thanks ...for making the app store look like a good idea :(" -it doesn't. The App store just gets users used to trusting everything rather than questioning what they are installing; what it advertises to do and what it actually requests access to -assuming your OS will let you see that.
Actually, the thing that really farks me off is that none of this actually makes sense. Even if they were distributing by both the Android and iTunes markets then obviously the clean version would install and when they upgraded to version 2.0-dodgy then it would make it obvious that something odd was going on (on Android) or you would hope this is the sort of shit gets picked up in the Apple review process.
Devs write program and get some people to install it. People install it. Devs point out that it could have been a virus. Idiots get free advertising.
"Devs point out that it could have been a virus"
Umm but they DID write one that WAS a virus and just chose not to send it out. If they had, things would have been different - they would have been in legal trouble...
The point is that they have proof of concept code and an demonstrably effective release mechanism. What more can you legally prove?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
