EU report warns of cellphone botnet danger

Smartphones could soon be used to launch distributed botnet attacks, a new EU security report warns.

The EU’s IT security agency, Enisa, says that as mobile devices become more popular and more connected – as well as more complex and more vulnerable – it’s only a matter of time.

“Smartphone botnets could be used for familiar crimes such as spam, click fraud and DDoS,” says the report. “Since smartphones interface with cellular networks, they could also be used for new distributed attack scenarios; eg SMS spam and DDoS on telephony networks. Such attacks could be used to support wider attacks on, for example, other infrastructure.”

Another common risk of smartphone use, says the report, is of accidental leakage of sensitive data, for example through GPS data attached to images. “Users, by giving an app access to the image files, may be unintentionally disclosing their whereabouts,” warns the report.

Another is data theft by malicious apps and from stolen, lost or decommissioned phones. While most people now routinely wipe hard drives before disposing of an unwanted PC, says the report, few take the trouble when scrapping a smartphone.

“In a recent study, mobile phones were bought second-hand on eBay and, out of the 26 business smartphones, four contained information from which the owner could be identified while seven contained enough data to identify the owner’s employer,” says the report.

“The research team managed to trace one smartphone to a senior sales director of a corporation, recovering call history, address book entries, diary, emails, etc.”

Also on the increase, says the report, is so-called diallerware’ – malicious software which steals money through unauthorised phonecalls.

“Given the growing importance of smartphones for EU businesses, governments and citizens, we consider it essential to assess their security and privacy implications.” says professor Dr Udo Helmbrecht, executive director of Enisa.