Researchers question Android spam botnet

Powered by SC Magazine

More proof needed.

Several researchers remain skeptical about the existence of a spam botnet on Android devices, despite reports to the contrary from Sophos and Microsoft.

The speculation over the threat began last week with Terry Zink, a program manager for Microsoft Forefront Online Security, who found spam messages were being sent using the Yahoo Mail app on Android devices.

The devices were logging in to the user's Yahoo Mail account via the app in order to send out the unwanted messages.

"We've all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices," Zink wrote.

Although Zink has not found the actual Android malware responsible for the spam campaign, he argued there was indirect evidence in the messages' email headers.

In the header's Message-ID field, each email had the string: "androidMobile," he said.

Each message also had the text: "sent from Yahoo! Mail on Android," in the body.

Sophos researchers concurred with Zink's assessment after analysing the spam messages, which advertised generic medicines, penny stocks and e-cards.

"The messages appear to originate from compromised Google Android smartphones or tablets," Chester Wisniewski, a senior security adviser for Sophos, wrote Thursday in an blog post.

While it's not clear how these devices got infected, it's possible that owners downloaded pirated copies of legitimate commercial apps that had been bundled to contain malware, Wisniewski said. Zink raised the possibility of a rogue Yahoo Mail app.

The originating IP addresses listed in the email headers are assigned to mobile carriers and were not likely to belong to a desktop computer, Wisniewski tweeted. Infected devices appeared to be located throughout the globe.

However, several researchers criticised the spam botnet claim, saying there was not enough proof.

Stephen Doherty, security response manager at Symantec, disagreed with Wisniewski's assertion that the IP addresses were restricted to mobile carriers.

The "vast majority of originating IPs for this spam do not appear to come from a mobile network," Doherty wrote Thursday on Symantec Connect. Some of the IP addresses have previously been seen sending spam without mobile indicators, he said.

"While we have yet to confirm the true source of these messages, they do not actually appear to originate from a malicious Android application which sends mail through Yahoo email accounts on Android devices," Doherty wrote.

Roel Schouwenberg, a senior malware researcher at Kaspersky Lab, tweeted that the claims were "unsubstantiated," adding there needed to be proof.

Google has also dismissed the possibility.

"Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using," Google said in an email statement.

Zink updated his original post on Thursday to modify his assertion and acknowledge the botnet had not yet been confirmed.

It would be possible for spammers to use a computer to strip out the Yahoo message IDs and replace them, and to add the sent-from-an-Android message in the message body, Zink admitted. Yet, this would be an "elaborate deception" by spammers, and he believed the possibility was unlikely.  

The level of information currently available "is not enough to definitely identify any particular cause of the spam messages, since such information is easily replicable," Kevin Mahaffey, CTO of Lookout Mobile Security, wrote Thursday on the company blog.

For the botnet explanation to be valid, all the devices would have to be infected with some type of malware, and no one has yet detected a strain.

However, Lookout's investigation uncovered "a number of issues" with the Yahoo Mail app "that have potentially broader implications for all Android users of Yahoo Mail," Mahaffey wrote.

Yahoo has been notified, and Lookout recommends users uninstall the app for the time being.

Yahoo did not respond to requests for comment.

Both Mahaffey and Doherty said they believe the spammers are using these techniques to evade filters, but that they are not a sign of a spam botnet. It could be possible that the mail app had a significant design flaw that allowed the app to send mail in the background, but that was unlikely, Doherty said.

If claims of the botnet turn out to be true, the consequences to the victims appear to be only financial, experts said. Sending thousands of spam messages off a mobile device would result in higher data traffic and a more costly phone bill.

This also highlights the risk of downloading applications from unauthorised sites instead of the official Google Play store, Neil Roiter, research director of Corero Network Security, said.

While Google has been taking steps to keep rogue applications out of the app market, with initiatives such as Bouncer, "it stands to reason that Google cannot protect users who opt to download applications from non-sanctioned sites," Roiter said.

This article originally appeared at

Copyright © SC Magazine, US edition

Researchers question Android spam botnet
Top Stories
Soft drinks and SoftLayer: A solution for hard times?
Coca-Cola Amatil's CIO Barry Simpson shares his story of cost-cutting, outsourcing and why his software developers to ride around in delivery trucks.
Optus considers breaking net neutrality in Australia
May charge Netflix, OTT providers for premium service.
AGL restructure sees CIO depart
Owen Coppage to leave after ten years.
Sign up to receive iTnews email bulletins
Latest articles on BIT Latest Articles from BIT
Small business win in a budget with 'fair' savings: Abbott
Apr 17, 2015
Tony Abbott has reaffirmed that the government’s aim is “always to get taxes ...
Xero now includes an inventory function built-in
Mar 26, 2015
Xero has added inventory and other major new features to the latest release of its cloud ...
Apple reveals its new MacBook
Mar 13, 2015
Replacing the MacBook Air as Apple's thinnest laptop, the new MacBook comes packed with features.
Xero has released a new version of its app for the iPad
Mar 6, 2015
iPad-wielding Xero users can now take advantage of a new version of the iOS app for the cloud ...
Microsoft is offering Azure for Disaster Recovery to Australian SMBs
Feb 10, 2015
If you haven't talked to your IT provider about disaster recovery, it might be worth discussing ...
Latest Comments
Do you support the Government's data retention scheme?

   |   View results