Over at Dark Reading you'll find a story entitled "Smartphone Weather App Builds A Mobile Botnet." The story reveals how a couple of researchers (Derek Brown and Daniel Tijerina) who work for TippingPoint thought it would be a good idea to build and release a rogue mobile phone application. The app poses as a weather infromation tool - but it also grabs phone numbers and GPS coordinates from unsuspecting iPhone and Andriod-based phones. Overall the application found its way into roughly 8000 phones so far, and supposedly it was released "to prove how such an app could steal or modify a user's contacts, read his files, and access his Facebook and Twitter accounts, as well as email and passwords."
I find this experiment - unleashed on an unsuspecting public - to be extremely irresponsible. There's absolutely no acceptable excuse for it. First of all, it's a no-brainer that if you load software into a computer then that software might do stuff you aren't aware of. Second of all, why does the obvious have to be re-proven - hasn't this already been done a bagillion times on Windows, Apple, and Linux platforms? Would it be too difficult to simply tell people that their phone is a computer and that it needs to be protected like one?
Oh wait, there's no drauma and sensationalization in that approach. Sorry. My bad.
