Spam Emails: Android Botnet or Not?
July 10, 2012As outlined by PCMag's Security Watch, researchers from Microsoft and Sophos on Wednesday said they had found the first instance of an Android botnet. The spam messages included the signature, "Sent from Yahoo! Mail on Android," prompting Microsoft researcher Terry Zink to conclude that "a spammer has control of a botnet that lives on Android devices."
Sophos chimed in, with analyst Chester Wisniewski arguing that it is "likely that Android users are downloading Trojanized pirated copies of paid Android applications."
Later that day, however, Lookout Security said "a more plausible explanation for this behavior appears to be insecure Android applications."
Lookout said the information provided by Microsoft and Sophos was not enough to "definitively identify" the cause of the spam because the data is "easily replicable."
"After taking a detailed look at the app, we've found a number of issues that have potentially broader implications for all Android users of Yahoo! Mail," Lookout continued. "In the interest of responsible disclosure, we cannot at this time provide details around such vulnerabilities."
Microsoft's Zink and Sophos's Wisniewski have since published follow-up posts. Zink conceded that it's "entirely possible" that a bot on a compromised PC connected to Yahoo Mail inserted the Android tagline in an effort to dupe people into thinking it came from Android devices.
"On the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices," he said.
Zink said he considered both options before publishing his data and "selected the latter."
In his own post, Wisniewski said he "didn't make it clear that we do not have a malware sample that does this, simply evidence that strongly suggests it is happening."
Wisniewski said he has "no evidence" of message forgery. "The messages are delivered to our spam traps from genuine Yahoo! servers with valid DKIM signatures," he wrote.
Wisniewski conceded that "we don't know the answer right now," but said "the evidence suggests it is Android malware and there isn't a good reason to think that pretending it is from Yahoo! via Android devices is of any benefit to the spammers."
For its part, Google is in the "infected PC" camp, according to the BBC. Yahoo has not yet responded to a request for comment.
For more from Chloe, follow her on Twitter @ChloeAlbanesius.
Author: Chloe Albanesius, PCMag.com