The hierarchical architecture of present day cellular data networks implies that a large number of base stations depend on a small number of core network elements for essential services (including Internet connectivity). If a mobile botnet launches a distributed signaling attack on one or more core network elements (e.g., gateway), a large number of subscribers would experience service degradation. In this work, we propose a new detector that examines a subset of IP packets transmitted by a mobile station (MS) to determine its infection status. Service providers can install this detector anywhere in the data path, i.e., MS, Base Station (BS), gateway, etc., to detect and quarantine infected terminals. The proposed algorithm was trained using one week of IP packet traces generated by 62 different smartphones. Results indicate that this method can detect most types of signaling attacks with more than 0.9 detection probability and less than 0.1 false alarm probability.