Researchers question Android spam botnet claims

Powered by SC Magazine
 

More proof needed.

Researchers have claimed skepticism around the existence of a spam botnet on Android devices, despite reports from Sophos and Microsoft claiming the issue was real.

Speculation surrounding the threat began last week when Terry Zink, a program manager for Microsoft Forefront Online Security, claimed spam messages were being sent using the Yahoo Mail app on Android devices.

The devices were logging in to the user's Yahoo Mail account via the app in order to send out the unwanted messages, he said.

"We've all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices," Zink wrote.

Although Zink had not found the actual Android malware responsible for the spam campaign, he argued there was indirect evidence in the messages' email headers.

In the header's Message-ID field, each email had the string: "androidMobile," he said. Each message also had the text: "sent from Yahoo! Mail on Android", in the body.

Sophos researchers concurred with Zink's assessment after analyzing the spam messages, which advertised generic medicines, penny stocks and e-cards.

"The messages appear to originate from compromised Google Android smartphones or tablets," Chester Wisniewski, a senior security adviser for Sophos, wrote Thursday in a blog post.

While it's not clear how these devices got infected, it's possible that owners downloaded pirated copies of legitimate commercial apps that had been bundled to contain malware, Wisniewski said. Zink raised the possibility of a rogue Yahoo Mail app.

The originating IP addresses listed in the email headers are assigned to mobile carriers and were not likely to belong to a desktop computer, Wisniewski tweeted.

Infected devices appeared to be located in the Ukraine, Russia, Chile, Argentina, Venezuela, Indonesia, Thailand, the Philippines, Lebanon, Oman and Saudi Arabia.

Researchers question

However, several researchers criticised the spam botnet claim, saying there was not enough proof. For instance, Stephen Doherty, security response manager at Symantec, disagreed with Wisniewski's assertion that the IP addresses were restricted to mobile carriers.

The "vast majority of originating IPs for this spam do not appear to come from a mobile network", Doherty wrote on Thursday.

Some of the IP addresses have previously been seen sending spam without mobile indicators, he said.

"While we have yet to confirm the true source of these messages, they do not actually appear to originate from a malicious Android application which sends mail through Yahoo email accounts on Android devices," Doherty wrote.

Roel Schouwenberg, a senior malware researcher at Kaspersky Lab, tweeted that the claims were "unsubstantiated," adding there needed to be proof.

Google has also dismissed the possibility.

"Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using," Google said in an emailed statement.

Zink updated his original post on Thursday to modify his assertion and acknowledge the botnet had not yet been confirmed.

It would be possible for spammers to use a computer to strip out the Yahoo message IDs and replace them, and to add the sent-from-an-Android message in the message body, Zink admitted.

Yet, this would be an "elaborate deception" by spammers, and he believed the possibility was unlikely.  

The level of information currently available "is not enough to definitely identify any particular cause of the spam messages, since such information is easily replicable," Kevin Mahaffey, CTO of Lookout Mobile Security, wrote Thursday on the company blog.

For the botnet explanation to be valid, all the devices would have to be infected with some type of malware, and no one has yet detected a strain, he said.

However, Lookout's investigation uncovered "a number of issues" with the Yahoo Mail app "that have potentially broader implications for all Android users of Yahoo Mail," Mahaffey wrote. Yahoo has been notified, and Lookout recommends users uninstall the app for the time being.

Yahoo did not respond to requests for comment.

Both Mahaffey and Doherty said they believe the spammers are using these techniques to evade filters, but that they are not a sign of a spam botnet. The mail app potentially had a significant design flaw that allowed the app to send mail in the background, but that was unlikely, Doherty said.

However, if claims of the botnet turn out to be true, the consequences to the victims appear to be only financial, experts said. Sending thousands of spam messages off a mobile device would result in higher data traffic and a more costly phone bill.

This also highlights the risk of downloading applications from unauthorized sites instead of the official Google Play store, Neil Roiter, research director of Corero Network Security, told iTnews sister site SCMagazine.com.

While Google has been taking steps to keep rogue applications out of the app market, with initiatives such as Bouncer, "it stands to reason that Google cannot protect users who opt to download applications from non-sanctioned sites," Roiter said.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Researchers question Android spam botnet claims
 
 
 
Top Stories
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
What InfoSec can learn from the insurance industry
[Blog post] Another way data breach laws could help manage risk.
 
A ten-point plan for disrupting security
[Blog post] How can you defend the perimeter when it’s in the cloud?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Pass on carbon tax savings, warns ACCC
Jul 24, 2014
The ACCC is warning businesses that supply "regulated goods" to pass on any cost savings ...
Have customers that won't pay debts?
Jul 10, 2014
The ACCC and ASIC have updated their advice when it comes to collecting debts.
Carpet cleaner faces court over online testimonials
Jul 4, 2014
The ACCC has initiated proceedings against A Whistle (1979) Pty Ltd, the franchisor of Electrodry...
You can now get 15GB of free online storage using Microsoft OneDrive
Jun 25, 2014
Cloud storage has reached both the capacity and price where it's a viable alternative to local ...
Another clever trick you can perform with Xero
Jun 25, 2014
Here is another way to reach out to particular subsets of your customers using Xero.
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1030

Vote