Google denies Android botnet claim

After a Microsoft engineer claimed he discovered an Android botnet sending out spam on an international scale, Google has denied the allegations. It's still unclear, however, where the spam is coming from.
Written by Emil Protalinski, Contributor

Update on July 16 - New Yahoo app vulnerability explains Android spam

On Wednesday I wrote about how Microsoft engineer Terry Zink said he discovered Android devices were being used to send spam as part of an international Android spam botnet. Today, Google got in touch with me and denied Microsoft's claim.

"The evidence does not support the Android botnet claim," a Google spokesperson said in a statement. "Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using."

Zink explained how he found spam e-mails were being sent from compromised Yahoo accounts accessed by Android devices. He deduced this by looking at the e-mails' header information as well as noting the "Sent from Yahoo! Mail on Android" signature. The Microsoft engineer speculated a cybercriminal had developed a new piece of malware that can access Yahoo Mail accounts on Android devices, send spam messages from them, and had linked them together to create a spam botnet.

Security firm Sophos today also shared its findings on the spam e-mails in question:

The messages appear to originate from compromised Google Android smartphones or tablets. All of the samples at SophosLabs have been sent through Yahoo!'s free mail service and contain correct headers and SPF signatures.

Like Zink, Sophos concluded that it is "likely" Android users are downloading Trojanized pirated copies of paid Android apps. The security firm could not, however, prove that the attacks originated from Android devices. In a follow up blog post on MSDN, the Microsoft engineer agreed that this could not be stated conclusively:

In comments of various blogs a lot of people have suggested that these headers are spoofed, or there was a botnet connecting to Yahoo Mail from a Windows PC and sent mail that way. Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices.

Since Yahoo provides the originating IP address for its e-mails, it is possible to see where the spam is being sent from: Asia, Eastern Europe, the Middle East, and South America. The e-mails Zink got his hands on came from Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela. The samples analyzed by Sophos originated from Argentina, Ukraine, Pakistan, Jordan, and Russia.

Even if you are not in any of these countries, please be careful. Android lets you download and install apps from anywhere. Please only install apps from Google Play unless you are absolutely certain you know who wrote the software you want to install.

I will keep you posted once I learn more as to whether the spam e-mails are coming from Android devices or if someone is simply making it look like they are.

Update on July 16 - New Yahoo app vulnerability explains Android spam

See also:

Editorial standards