You may already know the basics of Internet security and keeping your personal data private while browsing the Web: Use a firewall, don’t open attachments you aren't expecting, and never follow links from strangers. But what about your smartphone? The ease with which security researcher Georgia Weidman was able to infect Android phones with her custom botnet during the 2011 ShmooCon security conference suggests that anyone concerned about the privacy of the personal data stored on their smartphone should think twice before downloading dubious or otherwise untrustworthy apps.
So how does a smartphone botnet spread? First, the victim needs to download a file that contains a bot builder program--a secret snippet of malicious code that will install a bot into the basic operating system of a phone. The infected file could be an app, a piece of music or even an email attachment. “It could be camouflaged in anything at all;” claims Weidman. “Someone might put out a great, functional app that users want. Worse, the app would work as advertised so they wouldn’t suspect it; meanwhile the botnet could be active for years.”
Once your phone is infected, a slave bot program will be installed in the base operating system, beneath the application layer that most users are familiar with. From there these bots can monitor and modify all data sent to and from the phone before you do, allowing the botmaster to command and control your phone without your knowledge. “Since the bot sees everything before the user does, it’s possible to catch private data and forward it elsewhere on the internet,” says Weidman. “What you’ve been doing, who you’re speaking to and where you’ve been.”