The relative easiness of setting up a mobile botnet of nearly 8,000 phones has been demonstrated by Derek Brown and Daniel Tijerina at this year’s edition of the RSA Conference in San Francisco.
The two researchers with TippingPoint’s Digital Vaccine Group built WeatherFist, a weather application for iPhones and Android smartphones, which is able to harvest information such as phone numbers and GPS coordinates from the phones of the people who downloaded it.
Eschewing Apple’s iPhone AppStore on account of the strict vetting process and the Android’s official application marketplace in view of the application sandbox and permission model, they concentrated their offer on other stores (SlideME and ModMyI) where applications for jailbroken iPhones and Android phones can be offered more easily.
According to DarkReading, WeatherFist requests the GPS coordinates from the phone, which then are transmuted in ZIP codes that get sent to the Weather Underground site, which delivers the relevant weather forecast.
All in all, this is a fairly benign application compared to the next one they wrote: WeatherFistBadMonkey. This one presents itself as WeatherFist, but is actually able to harvest information such as cookies, physical address, contact information, and in addition to that, it allows the creators to organize spam runs.
WeatherFistBadMonkey hasn’t been and will not be offered on any market – the researchers say that they have tested it only on their phones. With the WeatherFist experiment they simply wanted to demonstrate how easy it actually is for criminals set up a mobile botnet.