What are mobile bots and botnets?
A mobile bot is a form of malware that automatically runs after being installed on a mobile device. Such bots can get full access to the infected device and all its data, and generally communicate with and receive instructions from one or more ‘command and control’ (AKA C&C) servers. In this manner, compromised smartphones, tablets, and other infected devices then become part of a mobile botnet (a network of bots running on mobile devices) run by a hacker or cybercriminal ─ usually referred to as a botmaster.
In 2011, some of the first mobile bot infections were discovered when compromised gaming applications on Android devices were found, such as ‘DroidDream’. When combined to form a large botnet with thousands of devices, attackers can carry out damaging attacks such as application DDoS (Distributed Denial of Service), content and price scraping, and exfiltration of personal data and log-in credentials to websites and apps used by the infected device’s owner. Sophisticated mobile botnets have also targeted iPhones (and in the past, Blackberry and Symbian devices as well) via text-message and ‘zero-click’ attacks which install malware without the victim being aware.
Unlike desktop devices that can have a single permanent (static) IP address or get assigned a dynamic IP address by their Internet provider that changes every few days or weeks, mobile devices often change their IP address many times a day as they traverse across several mobile towers and networks and connect to different Wi-Fi access points. This makes bots on mobile devices far harder to detect compared to desktop computers, and when combined with ‘behavioral hijacking’ techniques that imitate the behavior of humans touching, tapping, and swiping on their devices, pose a considerable challenge for bot detection solutions.
How do mobile devices get infected?
Bot infections can be transmitted through viruses, worms, and Trojans with bot-like capabilities. An email with a malware attachment can often automatically compromise a device without any user interaction needed. Often, embedded links in emails, if clicked on by an unsuspecting victim, can download a malicious payload to the device and ensnare it in a botnet. In recent years, we have seen a rise in botnet malware embedded in popular or seemingly legitimate apps and games.
Using techniques such as supply-chain attacks, malicious code can be added to many types of third-party vendor apps and plug-ins to distribute botnet malware to thousands or even millions of mobile devices. Similarly, code embedded in websites can automatically install itself by loading onto a device’s memory when a visitor goes to the compromised website or app, also known as a “drive-by download”. Using such techniques, a large botnet can be assembled in just a few days or weeks. Even the C&C servers controlling the botnet can be regularly switched to different IP addresses and computers to better evade detection and blacklisting.
What is the impact of a bot infection?
Depending on the botmaster’s intentions and objectives, a bot infection on a mobile device can:
- Disrupt or deny access to networks
- Steal credit card details, website log-in credentials, and other confidential data
- Copy messages and contact lists from the devices
- Send SMS or make calls to numbers that charge for premium services
- Block incoming messages
- Install or delete applications
- Visit malware-laden sites
- Click on fake ads (ad fraud)
How can users protect mobile devices from bot infections?
It’s a never-ending battle between operating systems/ applications developers and nefarious parties looking to make a quick buck by leveraging botnets to commit fraud and crime. As vulnerabilities get patched, a new one is inevitably found and exploited to create a botnet. However, a few basic precautions are advised for mobile users to protect their devices from bot infections:
- Install apps and games only from trusted app stores
- Be cautious with emails with attachments or links. Ignore messages from unknown or suspicious senders, especially the ones that appear to be from a company or service that you use. Malware is often spread via emails that look legitimate but have spelling variations or use alternate letters or numbers (such as a ‘zero’ used in place of the letter ‘o’).
- Tell-tale signs of a bot or malware infection include heavy battery usage necessitating more frequent charging, abrupt or suspicious disconnections from networks or services, phone calls or text messages to unknown numbers, and suspicious activity on websites and apps.
How can enterprises secure their websites and apps from bots and botnets?
It’s a battlefield out there, and enterprises can protect themselves from malicious bots and botnets by:
- Securing against every possible bot attack vector
- Blocking or showing a CAPTCHA to known bot hosting providers and proxy services
- Evaluating sources of visitor traffic
- Analyzing suspicious spikes in traffic
- Monitoring failed log-ins and gift card validations
- Most importantly, implementing a dedicated bot mitigation solution
Radware Bot Manager’s customized Mobile SDKs for iOS and Android seamlessly work with any technology stack and secure mobile devices from becoming ensnared in a botnet and leveraged for criminal purposes. Our SDKs are optimized for low power and memory usage and can be embedded into native as well as hybrid mobile applications for comprehensive bot protection. They are regularly updated to provide maximum protection and performance. These SDKs help in fingerprinting mobile devices by collecting information on the device and client application in use, the version of the app, the device’s hardware specifications, and other details. They additionally strengthen security by authenticating the APIs used by client applications running on mobile devices.
For more information on how your enterprise and mobile device users can be secured against botnets, get in touch with us at email@example.com.