By Andy Greenberg
June 21, 2010
A word of caution to any Android users who downloaded an app over the
past weekend promising pictures of the next Twilight film: Next time,
your obsession with vampires might just turn your phone into a zombie.
In a talk at the hacker conference SummerCon last Friday, researcher Jon
Oberheide gave a demonstration of just how easy it may be to infect
large numbers of phones running Google's Android OS with hidden software
that turns the devices into a zombie-like "botnet" under the control of
a cybercriminal--particularly if that software associates itself with a
phenomenon as popular and tween-entrancing as the upcoming Twilight
Oberheide focused on what may be a serious security weakness in
Android's App Market: that apps don't have to ask permission from a user
to fetch new executable code. Even after an app has been approved for
downloads in Google's market, Oberheide says, it can still metamorphose
at will into a much less friendly program.
Oberheide, who works for security startup Scio Security, developed an
application called "RootStrap" to demonstrate that trust problem for
Android apps. After it's installed, Rootstrap periodically "phones home"
to check for any new code that Oberheide wants to add to the program,
including any hidden control program or "rootkit" that he wished to
install--hence the program's name. "This is probably the most effective
way to build a mobile botnet," Oberheide told SummerCon's audience of
hackers and security researchers.
Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada
July 24-29th, offering over 60 training sessions and 11 tracks of Briefings
from security industry elite. To sign up visit http://www.blackhat.com