Researchers question Android spam botnet

Powered by SC Magazine

More proof needed.

Several researchers remain skeptical about the existence of a spam botnet on Android devices, despite reports to the contrary from Sophos and Microsoft.

The speculation over the threat began last week with Terry Zink, a program manager for Microsoft Forefront Online Security, who found spam messages were being sent using the Yahoo Mail app on Android devices.

The devices were logging in to the user's Yahoo Mail account via the app in order to send out the unwanted messages.

"We've all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices," Zink wrote.

Although Zink has not found the actual Android malware responsible for the spam campaign, he argued there was indirect evidence in the messages' email headers.

In the header's Message-ID field, each email had the string: "androidMobile," he said.

Each message also had the text: "sent from Yahoo! Mail on Android," in the body.

Sophos researchers concurred with Zink's assessment after analysing the spam messages, which advertised generic medicines, penny stocks and e-cards.

"The messages appear to originate from compromised Google Android smartphones or tablets," Chester Wisniewski, a senior security adviser for Sophos, wrote Thursday in an blog post.

While it's not clear how these devices got infected, it's possible that owners downloaded pirated copies of legitimate commercial apps that had been bundled to contain malware, Wisniewski said. Zink raised the possibility of a rogue Yahoo Mail app.

The originating IP addresses listed in the email headers are assigned to mobile carriers and were not likely to belong to a desktop computer, Wisniewski tweeted. Infected devices appeared to be located throughout the globe.

However, several researchers criticised the spam botnet claim, saying there was not enough proof.

Stephen Doherty, security response manager at Symantec, disagreed with Wisniewski's assertion that the IP addresses were restricted to mobile carriers.

The "vast majority of originating IPs for this spam do not appear to come from a mobile network," Doherty wrote Thursday on Symantec Connect. Some of the IP addresses have previously been seen sending spam without mobile indicators, he said.

"While we have yet to confirm the true source of these messages, they do not actually appear to originate from a malicious Android application which sends mail through Yahoo email accounts on Android devices," Doherty wrote.

Roel Schouwenberg, a senior malware researcher at Kaspersky Lab, tweeted that the claims were "unsubstantiated," adding there needed to be proof.

Google has also dismissed the possibility.

"Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using," Google said in an email statement.

Zink updated his original post on Thursday to modify his assertion and acknowledge the botnet had not yet been confirmed.

It would be possible for spammers to use a computer to strip out the Yahoo message IDs and replace them, and to add the sent-from-an-Android message in the message body, Zink admitted. Yet, this would be an "elaborate deception" by spammers, and he believed the possibility was unlikely.  

The level of information currently available "is not enough to definitely identify any particular cause of the spam messages, since such information is easily replicable," Kevin Mahaffey, CTO of Lookout Mobile Security, wrote Thursday on the company blog.

For the botnet explanation to be valid, all the devices would have to be infected with some type of malware, and no one has yet detected a strain.

However, Lookout's investigation uncovered "a number of issues" with the Yahoo Mail app "that have potentially broader implications for all Android users of Yahoo Mail," Mahaffey wrote.

Yahoo has been notified, and Lookout recommends users uninstall the app for the time being.

Yahoo did not respond to requests for comment.

Both Mahaffey and Doherty said they believe the spammers are using these techniques to evade filters, but that they are not a sign of a spam botnet. It could be possible that the mail app had a significant design flaw that allowed the app to send mail in the background, but that was unlikely, Doherty said.

If claims of the botnet turn out to be true, the consequences to the victims appear to be only financial, experts said. Sending thousands of spam messages off a mobile device would result in higher data traffic and a more costly phone bill.

This also highlights the risk of downloading applications from unauthorised sites instead of the official Google Play store, Neil Roiter, research director of Corero Network Security, said.

While Google has been taking steps to keep rogue applications out of the app market, with initiatives such as Bouncer, "it stands to reason that Google cannot protect users who opt to download applications from non-sanctioned sites," Roiter said.

This article originally appeared at

Copyright © SC Magazine, US edition

Researchers question Android spam botnet
Top Stories
Slow progress in Turnbullistan
[Blog post] How has the NBN moved ahead since regime change?
Hacks and frauds can't dampen Bitcoin buzz
[Blog post] Enthusiasts meet in Melbourne.
Qantas checks in with cloud computing
Impressed with results of public cloud bake-off.
Sign up to receive iTnews email bulletins
Latest articles on BIT Latest Articles from BIT
Have customers that won't pay debts?
Jul 10, 2014
The ACCC and ASIC have updated their advice when it comes to collecting debts.
Carpet cleaner faces court over online testimonials
Jul 4, 2014
The ACCC has initiated proceedings against A Whistle (1979) Pty Ltd, the franchisor of Electrodry...
You can now get 15GB of free online storage using Microsoft OneDrive
Jun 25, 2014
Cloud storage has reached both the capacity and price where it's a viable alternative to local ...
Another clever trick you can perform with Xero
Jun 25, 2014
Here is another way to reach out to particular subsets of your customers using Xero.
Have a phone, tablet and laptop?
Jun 20, 2014
This new Telstra pre-paid 4G mobile hotspot might be useful if you regularly need to use fast ...
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx