Researchers question Android spam botnet

Powered by SC Magazine
 

More proof needed.

Several researchers remain skeptical about the existence of a spam botnet on Android devices, despite reports to the contrary from Sophos and Microsoft.

The speculation over the threat began last week with Terry Zink, a program manager for Microsoft Forefront Online Security, who found spam messages were being sent using the Yahoo Mail app on Android devices.

The devices were logging in to the user's Yahoo Mail account via the app in order to send out the unwanted messages.

"We've all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices," Zink wrote.

Although Zink has not found the actual Android malware responsible for the spam campaign, he argued there was indirect evidence in the messages' email headers.

In the header's Message-ID field, each email had the string: "androidMobile," he said.

Each message also had the text: "sent from Yahoo! Mail on Android," in the body.

Sophos researchers concurred with Zink's assessment after analysing the spam messages, which advertised generic medicines, penny stocks and e-cards.

"The messages appear to originate from compromised Google Android smartphones or tablets," Chester Wisniewski, a senior security adviser for Sophos, wrote Thursday in an blog post.

While it's not clear how these devices got infected, it's possible that owners downloaded pirated copies of legitimate commercial apps that had been bundled to contain malware, Wisniewski said. Zink raised the possibility of a rogue Yahoo Mail app.

The originating IP addresses listed in the email headers are assigned to mobile carriers and were not likely to belong to a desktop computer, Wisniewski tweeted. Infected devices appeared to be located throughout the globe.

However, several researchers criticised the spam botnet claim, saying there was not enough proof.

Stephen Doherty, security response manager at Symantec, disagreed with Wisniewski's assertion that the IP addresses were restricted to mobile carriers.

The "vast majority of originating IPs for this spam do not appear to come from a mobile network," Doherty wrote Thursday on Symantec Connect. Some of the IP addresses have previously been seen sending spam without mobile indicators, he said.

"While we have yet to confirm the true source of these messages, they do not actually appear to originate from a malicious Android application which sends mail through Yahoo email accounts on Android devices," Doherty wrote.

Roel Schouwenberg, a senior malware researcher at Kaspersky Lab, tweeted that the claims were "unsubstantiated," adding there needed to be proof.

Google has also dismissed the possibility.

"Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using," Google said in an email statement.

Zink updated his original post on Thursday to modify his assertion and acknowledge the botnet had not yet been confirmed.

It would be possible for spammers to use a computer to strip out the Yahoo message IDs and replace them, and to add the sent-from-an-Android message in the message body, Zink admitted. Yet, this would be an "elaborate deception" by spammers, and he believed the possibility was unlikely.  

The level of information currently available "is not enough to definitely identify any particular cause of the spam messages, since such information is easily replicable," Kevin Mahaffey, CTO of Lookout Mobile Security, wrote Thursday on the company blog.

For the botnet explanation to be valid, all the devices would have to be infected with some type of malware, and no one has yet detected a strain.

However, Lookout's investigation uncovered "a number of issues" with the Yahoo Mail app "that have potentially broader implications for all Android users of Yahoo Mail," Mahaffey wrote.

Yahoo has been notified, and Lookout recommends users uninstall the app for the time being.

Yahoo did not respond to requests for comment.

Both Mahaffey and Doherty said they believe the spammers are using these techniques to evade filters, but that they are not a sign of a spam botnet. It could be possible that the mail app had a significant design flaw that allowed the app to send mail in the background, but that was unlikely, Doherty said.

If claims of the botnet turn out to be true, the consequences to the victims appear to be only financial, experts said. Sending thousands of spam messages off a mobile device would result in higher data traffic and a more costly phone bill.

This also highlights the risk of downloading applications from unauthorised sites instead of the official Google Play store, Neil Roiter, research director of Corero Network Security, said.

While Google has been taking steps to keep rogue applications out of the app market, with initiatives such as Bouncer, "it stands to reason that Google cannot protect users who opt to download applications from non-sanctioned sites," Roiter said.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Researchers question Android spam botnet
 
 
 
Top Stories
Toll Group to go Google
Poaches Woolworths project manager.
 
How News Corp's CIO tackled skills in his race to the cloud
What to do when your team’s talents are no longer needed.
 
Photos: How Thodey transformed Telstra
From turbulent Trujillo to Australia's leading telco.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Microsoft is offering Azure for Disaster Recovery to Australian SMBs
Feb 10, 2015
If you haven't talked to your IT provider about disaster recovery, it might be worth discussing ...
The 2015 Xero Roadshow is on: here are the locations and dates
Feb 6, 2015
The 2015 Xero Roadshow kicked off this week - see where you can attend at locations around ...
Microsoft Outlook is now on iPhone and iPad: why could this be useful?
Jan 30, 2015
Microsoft today released Office for Android and Outlook for iOS - complementing the other Office ...
Franchisees, here's something you should know about
Jan 23, 2015
You need to know the Code if you are a franchisee or franchisor as the penalties are significant.
Xero users rejoice! Quoting has finally arrived
Jan 23, 2015
It has taken years, but Xero has at last added integrated quoting to its online accounting software.
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  35%
 
Your insurance company
  5%
 
A technology company (Google, Facebook et al)
  9%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  4%
 
A Federal Government agency (ATO, Centrelink etc)
  18%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  7%
TOTAL VOTES: 3956

Vote
Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
  27%
 
I DON'T support shutting the OAIC.
  73%
TOTAL VOTES: 1347

Vote