Rise Of Android Botnets
No, it's not the latest series on the Syfy network, much as affected companies may wish this trend were fiction.
The size of the smartphone malware "market" was made clear last week in a report issued by Damballa Labs that offers a rare analysis of mobile botnets. Now, if you've followed InformationWeek's Mobile Security Tech Center, you know that malware targeting mobile devices -- effectively smartphones, since the tablet market is owned by iPad, which has yet to see a successful malware penetration -- is on the rise. Today, breaking into connected devices and compromising online identities is big business, and smartphones are the next front in the cybercrime battlefield.
Damballa found that in the first half of this year, the number of compromised Android devices communicating with known criminal command and control (C&C) networks grew significantly, topping out at 20,000 devices on two particularly nasty weeks. This marks a disturbing milestone in the evolution of mobile malware, since until recently, mobile exploits typically didn't involve a persistent takeover of the device and active communication with a C&C botnet. As the report concludes, "two-way Internet communication now makes the mobile market as susceptible to criminal breach activity as desktop devices."
More Security Insights
- 2012 IBM X-Force Annual Trend and Risk Report
- Intelligent Role Management for Improved Security and Compliance
Magnifying the risk is the fact that, as Damballa points out, many of these devices also join corporate Wi-Fi networks, where they are largely flying under the radar of existing security protocols and thus are ready agents for spreading malware to other internal systems, even PCs.
Just how easy is it to create and control an Android botnet? This was demonstrated last winter at ShmooCon by Georgia Weidman (watch an interview describing the technique here and download her presentation here).
Weidman's code inserts itself into the phone's modem driver and the rest of the telephony stack, ingeniously using the SMS messaging protocol to control the underlying malware. SMS makes a great C&C channel, according to Weidman, since it's fault-tolerant (SMS queues messages for later delivery if the network is unavailable), hard for security teams to monitor (since it's operated by the telecom carrier), and, perhaps most importantly, power-efficient. That's critical because IP traffic, over Wi-Fi or 3G, is one of the biggest smartphone battery drains. By using a lightweight protocol like SMS, botnet operators can have a relatively chatty dialog with their slave devices without tipping the owners off that something might be amiss on their phones. The downsides are that SMS instructions are limited to 160 characters, and users may eventually notice messaging charges on their phone bills.
Installation follows the typical path of getting someone to install a Trojan app. Weidman sums up the significance of this attack vector: "If attackers can get the bot installed, they can remotely control a user's phone without giving any sign of compromise to the user." The malicious beauty of a smartphone or tablet bot is the very mobility of the host; its nomadic network transience exposes the malware to more victims ... sort of like a traveling salesman with tuberculosis.
With mobile devices the new frontier for cybercrime, some basic security advice bears repeating. Mobile malware is primarily spread through native apps, which largely explains why iPhone and iPad users are less vulnerable, shielded by Apple's curated App Store. In contrast, IT should educate Android aficionados to curb urges toward download promiscuity, since the Android Marketplace is open to anyone and doesn't perform any security checks before publishing an app. Sure, Android forces apps to inform users of the phone features it needs, but there is nothing to prevent it from abusing the privilege. Even seemingly benign capabilities, like being able to send SMS text messages, can be deviously employed, as Weidman's botnet software makes abundantly clear.
But iPhone users shouldn't get complacent. Apple's curated App Store provides a useful shield to native malware apps, but as the drive-by JailBreakMe exploit exposed, even iOS can be compromised.
Aside from being wary of new apps from unknown sources, it's also important to maintain good mobile device security hygiene:
-- Store as little data as possible locally -- it's impossible not to have your contact list and cached email and browser sessions on a smartphone, but avoid storing copies of sensitive business documents.
-- Encrypt data in storage and transit; use file encryption (or an encrypted file system as in iOS) for local storage and VPNs for network connections on unsecured links, namely public Wi-Fi hotspots.
-- Finally, use a mobile device management service, either an enterprise product such as AirWatch, MobileIron, or Zenprise, or a consumer-oriented service like Apple's Find My iPhone or Lookout for Android, that can track and remotely wipe a lost or stolen device.
See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.