Smartphone botnets? New report predicts mobile devices will be part of DDoS attacks

As more people adopt smartphones, criminals will find new ways to use them for no good

Smartphones could soon be used to launch distributed attacks, much like traditional PCs are now used as parts of larger botnet networks, according to a new report from ENISA, the European Network and Information Security Agency. In research that details the many risks of smartphones, the findings claim that while the devices are not currently being targeted for such attacks, this may change as mobile devices are becoming more popular, more connected and the complexity and the number of vulnerabilities in these platforms is increasing.

See also: The mobile secururity survival guide

Smartphone botnets could be used for familiar crimes such as spam, click fraud and DDoS, the report claims. Since smartphones interface with cellular networks, they could also be used for new distributed attack scenarios; such as SMS spam and DDoS on telephony networks. Such attacks could be used to support wider attacks on, for example, other infrastructure.


"Mobile phone coverage is becoming increasingly vital, especially in the event of an emergency, so smartphones open up new possibilities for DDoS attacks with potentially serious impacts," according to the findings.

In an example, the report cites an example of a 2001 virus that impacted DoCoMo, a Japanese mobile operator. The 'i-mode virus' had access to call interfaces, which were available to malicious emails at the time and caused the user's device to dial emergency numbers.(See also:Zeus botnet targets holiday shoppers)

"Since the number of vulnerable devices at the time was small, this is unlikely to have had a significant impact but, in today's environment, such an attack could have flooded emergency numbers," the report states.

The report breaks down smartphone vulnerabilities and their risk level among three categories of user: consumer, employee, and high official (executive). Among its other highlights, it ranks unintentional disclosure of data as high risk for all three groups of users because many are not aware of all the functionality of smartphone apps. Even if a users has given explicit consent, they may be unaware that an app collects and publishes personal data, such as with location data - which is often used in social networks. While most apps have privacy settings for controlling how and when location data is transmitted, many users are unaware, or don't recall, that the data is being transmitted, let alone know of the existence of the privacy setting to prevent this, according to the report.

"Unintentional disclosure of location data may help attackers to track and trace users and so allow, for example, stalking, robbery or the hijacking of trucks containing valuable goods," the research states.

According to Gartner, worldwide smartphone sales doubled last year and 80 million were sold worldwide in Q3 2010 alone.

Copyright © 2010 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.