Tens of millions of mobile phones, tablets and other wireless electronics are being used discreetly by hackers to carry out criminal activity, and the owners of those devices don’t know it.
The eye-opening finding was announced in June by Distil Networks, an online threat mitigation firm with offices in San Francisco and clients worldwide.
Distil Networks gave NBC Bay Area early access to its study, “Mobile Bots: The Next Evolution of Bad Bots”. The data paints a bleak picture: as many as 5.8 percent of all mobile devices worldwide are infected with malicious automated software programs, known as “bots”.
“If you extrapolate that to the potential billions of mobile devices out there, that’s a pretty staggering number,” said Edward Roberts, Director of Product Marketing for Distil Networks.
The bots are secretly operating on millions of wireless mobile devices, such as phones. Hackers use infected devices to perform a variety of illicit tasks, such as account takeovers; gift card fraud; manipulating ticket prices; and even posting spam on social media.
Roberts said the discovery of widespread mobile bot networks came as something of a surprise to Distil Networks researchers.“We found it indirectly; we were looking at the abuse of accounts and account takeover,” Roberts said. “We suddenly realized that we were seeing a lot of mobile requests coming in — up to eight percent of the bad bots traffic that we see is now coming from these mobile devices on cell towers, going and attacking businesses around the world today.”
That led Distil engineers to closely scrutinize data requests from 100 million mobile devices on six major wireless networks, over a 45-day period. Roberts said at first, researchers doubted their own findings.
“We were actually shocked,” Roberts said. “We looked at another slice of data, and we got exactly the same number. We said, is this a one-off? So we looked at another time-frame and we got the same number.”
That figure — 5.8 percent — may not seem like much at first. Roberts uses an everyday example to put it in perspective.
“If you’re in a coffee shop, and there are 17 people in that coffee shop, you know that one of them has, probably, a high likelihood that they are launching bot requests from their phone and attacking some business around the world,” Roberts said. “They wouldn’t know anything about it.”
Another way to consider the data: with more than 300 million wireless phones and tablets in use in the U.S. alone, per industry analysts at the CTIA, Distil’s findings would suggest at least 15 million of those phones are hosting bad bots.
Infected Phone Owners Left Unaware
What’s worse, the owners of those devices carrying mobile bots almost certainly have no idea their phones and tablets are being used by bad actors.
“That’s the scary part here,” Roberts said. “It’s really difficult to say you are in a bad bot net, and you’re making bad bot requests to businesses. Not knowing that’s happening is probably quite disturbing to most people.”
Mobile bots are designed to operate in relative secrecy. Distil Networks researchers say they typically issue 50 bad data requests or attacks per day — a number too small to create a noticeable spike in the phone owner’s data. Even so, the billions of bots allow hackers to remotely conduct criminal acts without using any of their own bandwidth, instead stealing it from unwitting phone and tablet users.
Offloading the computing power to innocent phone owners is just one advantage bots give to hackers. Perhaps even more useful to cyber-crooks is the mobile bots’ ability to mask their intentions better than they might on a typical PC.
“They’re trying to appear human-like,” Roberts said. “if they’re on your phone, one of the behaviors of a phone is that it moves IP addresses. It moves from cell tower to cell tower, so it looks more human than other devices as well.”
This presents a challenge for online threat researchers and data security specialists, who look for specific patterns and other red flags to identify and stifle bot attacks.
“It’s another one of those techniques where the bot operators are trying to hide,” Roberts said. “It’s a problem that’s going to be very difficult to solve.”
Researchers say because wireless phone gateways handle so many requests, identifying and stopping attacks from mobile bots can be difficult.
A Billion-Bot Army
The problem is so widespread, Distil Networks says a whopping 21 percent of all internet traffic originates from bad bots. Eight percent comes from the mobile variety.
The bots aren’t just working by themselves. Most belong to an untold number of bot networks, enabling hackers across the globe to attack websites and servers.
Distil Networks identifies several potential uses for mobile bots:
- Identity Theft / account takeover (ATO). Bots can use information and passwords stolen in security breaches to test login sites for online accounts, allowing hackers to steal the owners’ identities.
- Gift Card Fraud. Mobile bots will look for online gift cards at retailer websites, then randomly try millions of card number and PIN combinations to find activated accounts — and drain them of cash.
- Social media spamming. Bots can plaster Twitter, Facebook, and Instagram with unwanted advertising, malicious links, and even fake news.
- Ticketing and Travel Price Manipulation. As NBC Bay Area reported earlier this year, bots have been detected in efforts to drive up airfare prices. Distil says bots are also being used to instantly buy up tickets to concerts and sporting events, handing them off to scalpers who resell tickets at exorbitant prices.
- Price Scraping. Bots can lift data from e-commerce sites, which can be used by competitors or thieves.
- Gambling. Distil says as much as half of all online bad bot activity is related to online gambling, targeting casinos and oddsmakers.
The end result, Distil says, is having a measurable effect on the global economy. “They’re committing fraud against businesses,” Roberts said. “They’re buying goods with stolen gift card numbers. They’re holding seats on airline tickets, so that they’re more expensive for real users who’re trying to get to it, or you can’t even get onto that plane, because a bot is holding that seat, trying to re-sell it somewhere else. They are performing all manner of tasks that are nefarious.”
Keeping Bots Off Your Phone
Phone and tablet users themselves are most often to blame for allowing bad bots to infect their devices.
Distil says malicious internet links or attachments in email, text messages, and on websites, open the door to malware. Once the trap is sprung, the bots are quietly installed and run in the background.
Aaron Cockerill, an executive with mobile device security provider Lookout, tells NBC Bay Area mobile phishing is the biggest unsolved problem in cyber-security.
“Phones are far more vulnerable to attack than most people realize,” Cockerill said. “The very fact we call them phones, and not computers, means you don’t think about it the same way as you do with a computer.”
Cockerill offers four steps to prevent malware, including mobile bots:
- Set a passcode to lock and unlock your phone. Cockerill says it’s shocking how many phone users don’t do this.
- Turn on auto-updates. Hackers exploit holes in apps and operating systems. Check your phone’s settings and user guide to learn how you can make sure everything is kept up-to-date.
- Only install apps from the official store. The Apple App Store, Google Play, and Amazon perform rigorous security checks on all software. If you download an app directly from a website, chances are it did not clear that process.
- Install security software. Lookout and other services offer real-time scans that warn you as soon as you click something shady.
“We jump in front and say, ‘Hey, you shouldn’t follow this link. We think it’s bad,’” Cockerill said.
Once your phone is infected, getting rid of bots can be nearly impossible — if you can even detect them at all. Engineers told NBC Bay Area a full “factory reset” of the phone — meaning the loss of all user data — would likely be necessary.
Batting Bots for the Long Haul
Cockerill says the fight to keep bots off phones begins and ends with consumers, and understanding just how vulnerable our phones really are.
“We think it’s a phone,” Cockerill said. “We should think, it’s a computer that’s permanently connected, with a camera in your pocket, and a microphone in your pocket. I don’t want everyone to get scared; I love my phone, but you have to think seriously about it as a computer, and I need to maintain it as such.”
Ultimately, Roberts says fighting off the bad bots will take diligence by bot hunters.
“It is an arms race,” Roberts said. “We have to be vigilant in preparing our defenses, in order to stop whatever change they make in their attacks.”