Researchers show infecting smartphones with malware is relatively easy
At the RSA Conference, TippingPoint researchers Derek Brown and Daniel Tijerina presented the results of an investigation into how easy it is to inject a malicious program into thousands of Android smartphones and jail-broken iPhones: The security experts developed an application called WeatherFist, which pretends to do nothing but display the weather conditions at the user's location.
For this purpose, the app sends the respective phones GPS position to a server which converts the coordinates into the location's post code and forwards this to weatherunderground.com. The app then appears to simply display the weather data provided by this site. Behind the scenes, however, WeatherFist can take control of the smartphone, read text messages and address book entries, or open a reverse shell for remote access. The developers say they could also bind an SMTP server to a network socket and, for example, send out spam – a classic botnet would be born.
Unlike the first iPhone worm, ikee, which spreads through the mobile network, Brown and Tijerina selected a different way of sending their software to the smartphones: The experts placed their application in various app collections such as ModMyi.com and SlideME, and counted almost 8,000 installations by iPhone and Android users within a month. Nearly 1,900 copies were apparently installed within the first 24 hours. For obvious security reasons, the version of WeatherFist which is still available online does not include any malicious functions.
At the RSA conference, however, the researchers demonstrated its potential malware capabilities using an extended version called WeatherFist BadMonkey, which will not be released. Talking to heise Security, Brown and Tijerina explained that, if they were hackers, they could send the malicious version to the smartphones via an auto-update feature in no time. Access to the GPS module, the smartphone's file system and the network stack, which was already granted when the original app was installed, could simply be retained – ideal malware conditions.
In the security researchers' opinion, the harmless version of WeatherFist should already have caused suspicion with the maintainers of online app collections. For instance, the application sends GPS data to the server for no apparent reason: Smartphones have their own APIs for this purpose. "It seems that nobody really looked at the code. 20 minutes after we submitted the app, the software went online at the store. We can, therefore, safely assume that nobody will become suspicious about an update. No matter how much malicious code it contains", said Brown.
According to the researchers, only Apple's AppStore offers a certain amount of protection against malicious applications. Brown and Tijerina said that the AppStore rigorously checks the source code for potential security problems caused by buffer overflows, copyright infringements, and permitted protocols as well as APIs. Brown thinks that malicious functions hidden in an allegedly harmless app are bound to attract attention when subjected to such rigorous testing. Updates are checked according to the same strict criteria, said the researchers. Google is less thorough, they added, and appears to rely on the vigilance of the community. Recently, however, a banking trojan which attempted to steal users' access data managed to make it into Google's Android Market.
The experts' conclusion is simple and true: Smartphone users should obtain applications from trusted sources only. Unfortunately, they said, Apple's AppStore is currently the only collection which thoroughly inspects the applications it offers.