Mobile
Commentary
9/14/2011
01:29 PM
Kurt Marko
Kurt Marko
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Rise Of Android Botnets

No, it's not the latest series on the Syfy network, much as affected companies may wish this trend were fiction.

The size of the smartphone malware "market" was made clear last week in a report issued by Damballa Labs that offers a rare analysis of mobile botnets. Now, if you've followed InformationWeek's Mobile Security Tech Center, you know that malware targeting mobile devices -- effectively smartphones, since the tablet market is owned by iPad, which has yet to see a successful malware penetration -- is on the rise. Today, breaking into connected devices and compromising online identities is big business, and smartphones are the next front in the cybercrime battlefield.

Damballa found that in the first half of this year, the number of compromised Android devices communicating with known criminal command and control (C&C) networks grew significantly, topping out at 20,000 devices on two particularly nasty weeks. This marks a disturbing milestone in the evolution of mobile malware, since until recently, mobile exploits typically didn't involve a persistent takeover of the device and active communication with a C&C botnet. As the report concludes, "two-way Internet communication now makes the mobile market as susceptible to criminal breach activity as desktop devices."

Magnifying the risk is the fact that, as Damballa points out, many of these devices also join corporate Wi-Fi networks, where they are largely flying under the radar of existing security protocols and thus are ready agents for spreading malware to other internal systems, even PCs.

Just how easy is it to create and control an Android botnet? This was demonstrated last winter at ShmooCon by Georgia Weidman (watch an interview describing the technique here and download her presentation here).

Weidman's code inserts itself into the phone's modem driver and the rest of the telephony stack, ingeniously using the SMS messaging protocol to control the underlying malware. SMS makes a great C&C channel, according to Weidman, since it's fault-tolerant (SMS queues messages for later delivery if the network is unavailable), hard for security teams to monitor (since it's operated by the telecom carrier), and, perhaps most importantly, power-efficient. That's critical because IP traffic, over Wi-Fi or 3G, is one of the biggest smartphone battery drains. By using a lightweight protocol like SMS, botnet operators can have a relatively chatty dialog with their slave devices without tipping the owners off that something might be amiss on their phones. The downsides are that SMS instructions are limited to 160 characters, and users may eventually notice messaging charges on their phone bills.

Installation follows the typical path of getting someone to install a Trojan app. Weidman sums up the significance of this attack vector: "If attackers can get the bot installed, they can remotely control a user's phone without giving any sign of compromise to the user." The malicious beauty of a smartphone or tablet bot is the very mobility of the host; its nomadic network transience exposes the malware to more victims ... sort of like a traveling salesman with tuberculosis.

With mobile devices the new frontier for cybercrime, some basic security advice bears repeating. Mobile malware is primarily spread through native apps, which largely explains why iPhone and iPad users are less vulnerable, shielded by Apple's curated App Store. In contrast, IT should educate Android aficionados to curb urges toward download promiscuity, since the Android Marketplace is open to anyone and doesn't perform any security checks before publishing an app. Sure, Android forces apps to inform users of the phone features it needs, but there is nothing to prevent it from abusing the privilege. Even seemingly benign capabilities, like being able to send SMS text messages, can be deviously employed, as Weidman's botnet software makes abundantly clear.

But iPhone users shouldn't get complacent. Apple's curated App Store provides a useful shield to native malware apps, but as the drive-by JailBreakMe exploit exposed, even iOS can be compromised.

Aside from being wary of new apps from unknown sources, it's also important to maintain good mobile device security hygiene:

-- Store as little data as possible locally -- it's impossible not to have your contact list and cached email and browser sessions on a smartphone, but avoid storing copies of sensitive business documents.

-- Encrypt data in storage and transit; use file encryption (or an encrypted file system as in iOS) for local storage and VPNs for network connections on unsecured links, namely public Wi-Fi hotspots.

-- Finally, use a mobile device management service, either an enterprise product such as AirWatch, MobileIron, or Zenprise, or a consumer-oriented service like Apple's Find My iPhone or Lookout for Android, that can track and remotely wipe a lost or stolen device.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Comment  | 
Print  | 
More Insights
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.