Designing Smartphone Botnet Command and Control Infrastructure
Smartphone security mostly still means having the ability to remotely manage devices. Still, malware targeting smartphones does exist, and the prospect that attackers will get more actively involved in exploiting is real.
With that in mind, security researchers Collin Mulliner and Jean-Pierre Seifert discussed how attackers could build a smartphone (PDF) botnet that would be difficult to detect and destroy at the 5th IEEE International Conference on Malicious and Unwanted Software (MALWARE) last month in France.
Building a successful botnet takes more than malware and a vulnerability; it also requires attackers have a way to communicate with their bots. In an e-mail conversation with eWEEK, Mulliner laid out a number of different strategies aspiring botmasters can take.
Among the approaches: peer-to-peer (P2P), SMS-only and SMS-HTTP hybrid.
In a P2P scenario, each bot connects to a P2P networks such as Overnet, Mulliner explained. The bots constantly search for specific hash values that are placed by the botmaster, he said, and the meta data attached to the hashes contain the commands to the bots.
"The benefit is that the approach is simple and easy to implement," he said. "The botmaster can utilize existing infrastructure (Overnet). The drawback is that p2p based botnets are well researched. Therefore counter measures from PC-based botnets can be used against this."
In an SMS-only approach, all command and control is done over SMS messages.
"In our design the botnet is build like a tree, where every bot has a number of [leaf] bots. The botmaster only has to send one SMS message to the root bot and the botnet will distribute the command through the tree. This kind of communication is stealthy...the big drawback is that the botmaster has to do a lot of management work to keep the net together. He has to update the tree structure by moving around nodes and so [on]."
Then there is SMS with HTTP, where the SMS messages contain a URL to a file. The file contains pre-built SMS (command messages) with destination phone numbers, Mulliner explained.
"When a bot receives such a message it downloads the file and extracts the messages," he said. "Then he sends the messages to the given bots. The message again could lead the bots to download files and further send messages to other bots."
"The benefits of this design are: the botmaster doesn't need to do as much test/repair of the botnet since each node of the botnet doesn't store phone numbers," he added. "The botmaster can also change the communication pattern of the work nicely in order to prevent detection. But the botnet is still harder to attack since a lot of the communication is with SMS and therefore only "sniffable" from the mobile network operator."
Companies like Google and Apple need to make sure they don't have too many vulnerabilities that open a door for malware, which includes monitoring their respective app stores, he said. Telcos meanwhile need a way to detect "strange" communication patterns, and maybe have some SMS intrusion detection systems, he added.
"We think smartphone botnets are one of the next big security issues," Mulliner said. "Therefore we think it is time to develop an understanding of how smartphone botnets could work - especially the command and control (C&C) functionality. We think that the mobile network operators (MNOs) will play a major role in fighting mobile phone botnets."