In my January blog entry “Application delivery and the evolution of endpoints” I referenced how Citrix and VMware were starting to position themselves to be able to offer mobile hypervisors. At the time I suggested that while the technology did offer interesting opportunities, there was little immediate demand. However in light of one of the announcements from last week's RSA conference in San Francisco, it looks like I may have spoken too soon.
Derek Brown and Daniel Tijerina’s announcement at RSA of the creation of an 7,800 node botnet consisting of both Android phones and jailbroken iPhones running their WeatherFist mobile application may well spur enterprise demand for the mobile hypervisor. Brown and Tijerina of TippingPoint’s Digital Vaccine Group created two versions of the same basic application. The version of WeatherFist that was released into the wild did no more than obtain a phone’s GPS coordinates and phone number before uploading them to a remote server which then converted the coordinates to a zip code and responded with the local weather forecast pulled from the Weather Underground site. At the same time, the pair created a malicious version of the application, but - contrary to some reports - did not release it. This version (WeatherFistBadMonkey) contained code that could raid the phone’s contacts list, steal cookies and send spam email. Most significantly, given the level of privilege required for the released version to operate, it would have been no more difficult to obtain a user’s permission to allow the malicious version to run.
Now that the news has broken I was expecting to find that WeatherFist had been pulled, but at the time of writing WeatherFist is still freely available on ModMyi, annotated with the somewhat ironic label “This package is from a trusted repository.”
This type of exploit requires two things to work, a poorly policed mobile app store and
gullible trusting users. Unfortunately trusting users are in endless supply and even the best policed of app stores will let something noxious in given enough time. Given this, how long will it be now before IT security departments start mandating that users cannot install any third party applications on a smart phone with access sensitive information? Which is where the mobile Phone hypervisor comes in. If employers cannot rely on their staff to prevent malware infection. How long will it be before IT security departments start mandating that smart phones have hypervisors installed to ensure separation of business and private applications and data as a means of controlling the inevitable backlash against ever more restrictive security controls dictating just what an employee can do on their phone.