Google denies Android botnet claim

Summary:After a Microsoft engineer claimed he discovered an Android botnet sending out spam on an international scale, Google has denied the allegations. It's still unclear, however, where the spam is coming from.

Update on July 16 - New Yahoo app vulnerability explains Android spam

tech_eye
On Wednesday I wrote about how Microsoft engineer Terry Zink said he discovered Android devices were being used to send spam as part of an international Android spam botnet. Today, Google got in touch with me and denied Microsoft's claim.

"The evidence does not support the Android botnet claim," a Google spokesperson said in a statement. "Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using."

Zink explained how he found spam e-mails were being sent from compromised Yahoo accounts accessed by Android devices. He deduced this by looking at the e-mails' header information as well as noting the "Sent from Yahoo! Mail on Android" signature. The Microsoft engineer speculated a cybercriminal had developed a new piece of malware that can access Yahoo Mail accounts on Android devices, send spam messages from them, and had linked them together to create a spam botnet.

Security firm Sophos today also shared its findings on the spam e-mails in question:

The messages appear to originate from compromised Google Android smartphones or tablets. All of the samples at SophosLabs have been sent through Yahoo!'s free mail service and contain correct headers and SPF signatures.

Like Zink, Sophos concluded that it is "likely" Android users are downloading Trojanized pirated copies of paid Android apps. The security firm could not, however, prove that the attacks originated from Android devices. In a follow up blog post on MSDN, the Microsoft engineer agreed that this could not be stated conclusively:

In comments of various blogs a lot of people have suggested that these headers are spoofed, or there was a botnet connecting to Yahoo Mail from a Windows PC and sent mail that way. Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices.

Since Yahoo provides the originating IP address for its e-mails, it is possible to see where the spam is being sent from: Asia, Eastern Europe, the Middle East, and South America. The e-mails Zink got his hands on came from Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela. The samples analyzed by Sophos originated from Argentina, Ukraine, Pakistan, Jordan, and Russia.

Even if you are not in any of these countries, please be careful. Android lets you download and install apps from anywhere. Please only install apps from Google Play unless you are absolutely certain you know who wrote the software you want to install.

I will keep you posted once I learn more as to whether the spam e-mails are coming from Android devices or if someone is simply making it look like they are.

Update on July 16 - New Yahoo app vulnerability explains Android spam

See also:

Topics: Security, Android, Google, Malware, Microsoft, Mobile OS, Open Source, Operating Systems, Smartphones

About

Emil is a freelance journalist writing for CNET and ZDNet. Over the years, he has covered the tech industry for multiple publications, including Ars Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.