Just what we need: Malware to slave your Android to a botnet

Researcher demonstrates exploit that turns smartphones into SMS-spamming zombies

December 07, 2011, 3:52 PM — It’s bad enough knowing the smartphone in your pocket – the one you quickly came to rely on so completely you can’t imagine going back to a smartish phone, or even a dumb one –comes with top-shelf spyware pre-installed as a garnish to the insecurity inherent in Android, the device and the network.

It’s worse, or would be, if the somewhat primitive but increasingly common malware available for Android were able to recruit your sexy little pocket computer into a botnet that would make it look to your contacts as if your main goal with a smartphone is to spam them with commercial text messages and malware.

Despite the relatively lower level of security available on phones, it’s still considered much more rude to spam via text or via mobile email than it is to do the same thing using a PC.

Plenty of Java and Flash-based exploits are transferrable from other devices to Android, and custom-coded Android malware is starting to appear.

Luckily Android devices so far have not been recruited into armies of tiny adorable zombies taking orders from the same botnet-controllers that use your hardware to make money spreading spam, malware and extorting money from skittish security managers with threats of DDOS attacks during peak hours.

Or they hadn’t, until yesterday.

At TakeDownCon in Las Vegas, independent security researcher Georgia Weidman demonstrated her proof-of-concept Android botnet.

The malware Weidman created for the purpose installs itself in a safe spot between the operating system and its security using techniques similar to those Carrier IQ uses to monitor every action that takes place on the phone, she told Ars Technica.

The malware installs itself below the permissions-based security model of Android so it can do what it likes without having to ask permission or raising any red flags for the user.

The malware effectively roots the phone itself, though it doesn’t give those privileges to the user.

Weidman developed the exploit while investigating ways malware could force Android devices to distribute spammy SMS messages. Smartphones and the broadband networks connecting them have become powerful enough that, within a very few years, any major DDOS, Spam or botnet-driven major attack will include zombified smartphones as well as enslaved PCs to do the distribution, she predicted to Ars Technica

About Author