Is that a bot in your pocket – or does it just look like one?

Last week at the RSA Conference, my colleague Derek Brown and I, presented findings from a research project titled MOBOTS: Pocketful of Pwnage, which was designed to show how easy it would be to create a large mobile botnet. Please note that we did not actually create a botnet; we simply presented results of two different experiments that showed how easy it would be to create one.
Despite the lack of actual drama (i.e. no botnet), the session has generated quite a bit of interest, so we wanted to take the opportunity to share the results with those that weren’t able to attend.
Background and Research
As stated, the point of this research was to show just how easily and quickly a hacker could amass a large army of mobile bots. The experiment involved two key pieces:

A control application: WeatherFist was a legitimate weather application that users could download to their smartphones. WeatherFist used a technique that enables the smartphone to “phone in” the users’ GPS coordinates to the application’s server so users can get accurate weather for their exact location. This application was posted – with links to a full EULA – on common app sharing sites like ModMyI (iPhone) and SlideMe (Android).

A test application: WeatherFistBadMonkey was a “malicious” version of the same application designed to look like – and on the surface, (continue reading...)