While not the first one who has thought of demonstrating the ability of using an application to create a botnet of Android-running mobile devices, researcher Jon Oberheide’s demonstration at SummerCon has certainly made people think again about the relative easiness of doing such a thing.
He took advantage of the fact that applications sold on the Android’s App Market don’t have to ask the user for approval when they want to fetch new executable code – making it possible for a benign application to be turned into a malicious one without the user being none the wiser.
He marketed the application as a collection of preview pictures from the upcoming Twilight Eclipse movie, and managed to entice 200 users into downloading it in the first 24 hours.
The actual application that is responsible for downloading further executable code is called “RootStrap”, and it’s hidden within the harmless-looking one. According to Andy Greenberg, “Rootstrap periodically “phones home” to check for any new code that Oberheide wants to add to the program, including any hidden control program or rootkit that he wished to install.”
The only thing left to do at that point is to exploit a vulnerability in the OS and take over the phones, which – Oberheide claims – is quite easy to do. Rich Cannings, Google’s Android security lead, says that the executable-code-fetching ability is one that many mobile AND desktop platforms have, but – surely! – this has to be one vulnerability that must be fixed as quickly as possible.