Almost everybody has got one – it is smarter and faster than your old PC and you carry it around in your pocket. Sounds like a truly personal gadget, yet other people can use it without your consent. Sad but true. Mobile devices are growing in numbers and so are the security threats around them. One of these – unsolicited participation in what is becoming the new tool of hackers worldwide – creation of massive mobile Botnets. What is the big deal, how much damage can a mobile cause? On its own not much, but pooled with hundreds of thousands of others… we leave the math to you.
If you are wondering – “Why mobiles, aren’t there more effective ways to do the job?“, the answer is simple, yet reasons are many. Over the last few years, the hardware parameters and computational power of mobile devices has made a huge leap forward. Quad-core processors and gigabytes of RAM and storage are not reserved for PC’s anymore. Another thing is the available bandwidth to mobile devices, which is also rapidly increasing. Not only that, but mobile devices are considerably less protected. Most smartphones and tablets have no anti-virus protection, no firewall and no way of detecting malware. Combine all of the above with their increased availability and numbers, that by some estimations are threatening to exceed the number of people in the world, and voilà, you have a nice new tool to use in malicious activities and subsequently Botnet creation.
For those of you who are not too familiar with DDoS and the way it works, a Botnet is a collection of interconnected machines that have been infected with malicious software. The program that infects machines is called a bot and the compromised device a Zombie. The control over the Zombies is entrusted to a server known as a Command and Control (C&C) server. And what used to be the domain of PC’s and servers is now being extended to include mobile devices forming botnets as well.
There are a number of ways an infection can happen, usually using a Trojan virus. There are three main types of infection. The first one – the repacking, in essence is a legitimate app that has been integrated with a virus. After that, the application is advertised as a genuine version or a free alternative. The second way of infection is by unintentional download that occurs when the user is browsing a website and is called drive-by download. This happens either by clicking on a pop-up window or by redirecting you to a malicious website, sometimes even one that is masked like the Google Play Store. The third way is done by malware that poses to be a legitimate update. Some of the malicious apps are downloaded with user consent, by posing as newer versions of already installed programs and sometimes by using legitimate third-party services used for updating software. Another way that doesn’t need user consent is by updating only parts of the software, this way the infection is stealthy and runs in the background.
Just stop for a second and think how often you download apps with an unknown or a suspicious source. Sometimes users try to avoid paying for the generic version of a program or a game by downloading them from a third-party provider. No matter what the specific way, the goal is always the same – gain control over your device.
It is no surprise that mobile Botnets include primarily devices running Android. Unlike Apple devices, which use apps that have gone through a scrutinizing process to be included in the Apple app market which is the only option for access to apps, Android devices can download software from third-party providers. The types of malware used for infecting devices vary by infection method, purpose and operation. Some examples used so far – android.ddos.1.origin, android.troj.mdk, MisoSMS, Android.Bmaster, etc. New viruses used for obtaining control over mobile devices are being developed incessantly. Already large Mobile Botnets are exploited over and over in different malicious campaigns, mostly DDoS. Last year for example, a Botnet located mainly in China, was discovered. It enlisted over 1 million devices infected with the Android.Troj.mdk that was hidden in more than 7000 apps.
Mobile Botnets can be and are being used to empower a number of malicious activities – stealing valuable information stored or processed by users, generation of profit by making unauthorized actions and transactions or commonly just DDoSing. Mobiles are used for carrying out DDoS campaigns in pretty much the same way the usual Botnet is. Hackers use the C&C server to send commands to the Zombies which in turn generate massive amounts of bad traffic that overwhelms a network. There are different ways for the C&C server to send commands to the Zombie. Most commonly HTTP based or through the SMS service, as the second being preferred. This is due to SMS being the most used mobile service, and also because malicious data can be hidden in SMS and even reach offline bots.
Another reason for concern is the barrage of apps available that can directly execute a DDoS attack. Their reach is continually increasing employing popular attack methods like the SYN flood, UDP floods and so on. Although attacks from mobile apps are simple in nature, they can still prove to be harmful. Examples for such applications are the mobile LOIC, AnDOSid , Bugtroid and OFS Stress-Tester, just to name a few. They are often advertised as website testing services, but their deceptive intended use and ambitions should be apparent even to laymen.
As you may have already realized, hackers are resourceful. They will use all means available to take you down or just cause you trouble. What can be done to limit their mischief is to be mindful what you download to your phone and not get hooked to the first free wi-fi that pops up near you, but this can have limited results. Mobile security solutions are another option that may prove to be useful. What is certain in this case is that mobile Botnets are bound to get larger and more efficient with time, in sync with your smartphone’s ever-better specs.