Android botnet responsible for Yahoo Spam?
6th Jul 2012 | 00:55
Microsoft security researcher says 'yes,' with a caveat
Are third-party Android application repositories to blame for a recently discovered botnet that's spamming emails all around the web?
One Microsoft security researcher seems to think so – with the obvious caveat that Microsoft does make a few devices here and there that compete against Google's Android OS and related smartphones.
Terry Zink, in a blog post to his MSDN-based Cyber Security blog, noted that he recently found a number of spam messages originating through Yahoo Mail servers.
That's normally not that big of a deal, except for the fact that these spam emails appeared as if they had been sent from an Android device.
Hunting the spam
The emails' "Message-ID" tag contains a mention of "androidmobile and, a bit more damning, the emails themselves conclude with the following line: "Sent from Yahoo! Mail on Android."
Case closed, right? Not so much.
Zink postulates that it's difficult to accidentally download a malware-laden app from the official Google Play marketplace, given the steps Google takes to ensure the authenticity and legitimacy of apps submitted for inclusion.
"I've written in the past that Android has the most malware compared to other smartphone platforms, but your odds of downloading and installing a malicious Android app is pretty low if you get it from the Android Marketplace," wrote Zink in a blog post. "But if you get it from some guy in a back alley on the Internet, the odds go way up."
In other words, third-party app repositories make it a lot easier for malware developers to get their unpleasant programs on users' smartphones, and that's exactly where Zink says he believes the spam emails are originating from – junky apps.
Chester Wisniewski, of Sophos' Naked Security blog, corroborates Zink's findings but remains just a bit shy of confirming that the messages definitely originate from Android smartphones.
It is likely that Android users are downloading Trojanized pirated copies of paid Android applications," Wisniewski wrote. "The samples we analyzed originated in Argentina, Ukraine, Pakistan, Jordan and Russia."
Google denies botnet
Google representatives deny the existence of the so-called "Android botnet."
"The evidence does not support the Android botnet claim," said a Google spokesperson in a published report. "Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using."
To Zink's credit, he did acknowledge in a subsequent blog post that Google's explanation could indeed be correct.
"Yes, it's entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo's own Message-IDs and added the 'Yahoo Mail for Android' tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices," Zink wrote.
However, he said he believes that the reason the spam appears to come from Android devices is because, "they did come from Android devices."