Despite reports from Sophos and Microsoft, several researchers remain skeptical about the existence of a spam botnet on Android devices.
The speculation over the threat began Tuesday with a blog post from Terry Zink, a program manager for Microsoft Forefront Online Security. Spam messages were being sent using the Yahoo Mail app on Android devices, Zink said. The devices were logging in to the user’s Yahoo Mail account via the app in order to send out the unwanted messages.
“We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices,” Zink wrote.
Although Zink has not found the actual Android malware responsible for the spam campaign, he argued there was indirect evidence in the messages’ email headers. In the header’s Message-ID field, each email had the string: “androidMobile,” he said. Each message also had the text: “sent from Yahoo! Mail on Android,” in the body.
Sophos researchers concurred with Zink’s assessment after analyzing the spam messages, which advertised generic medicines, penny stocks and e-cards.
“The messages appear to originate from compromised Google Android smartphones or tablets,” Chester Wisniewski, a senior security adviser for Sophos, wrote Thursday in an blog post.
While it’s not clear how these devices got infected, it’s possible that owners downloaded pirated copies of legitimate commercial apps that had been bundled to contain malware, Wisniewski said. Zink raised the possibility of a rogue Yahoo Mail app.
The originating IP addresses listed in the email headers are assigned to mobile carriers and were not likely to belong to a desktop computer, Wisniewski tweeted. Infected devices appeared to be located in the Ukraine, Russia, Chile, Argentina, Venezuela, Indonesia, Thailand, the Philippines, Lebanon, Oman and Saudi Arabia.
However, several researchers criticized the spam botnet claim, saying there was not enough proof. For instance, Stephen Doherty, security response manager at Symantec, disagreed with Wisniewski’s assertion that the IP addresses were restricted to mobile carriers.
The “vast majority of originating IPs for this spam do not appear to come from a mobile network,” Doherty wrote Thursday on Symantec Connect. Some of the IP addresses have previously been seen sending spam without mobile indicators, he said.
“While we have yet to confirm the true source of these messages, they do not actually appear to originate from a malicious Android application which sends mail through Yahoo email accounts on Android devices,” Doherty wrote.
Roel Schouwenberg, a senior malware researcher at Kaspersky Lab, tweeted that the claims were “unsubstantiated,” adding there needed to be proof.
Google has also dismissed the possibility.
“Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they’re using,” Google said in an email statement.
Zink updated his original post on Thursday to modify his assertion and acknowledge the botnet had not yet been confirmed.
It would be possible for spammers to use a computer to strip out the Yahoo message IDs and replace them, and to add the sent-from-an-Android message in the message body, Zink admitted. Yet, this would be an “elaborate deception” by spammers, and he believed the possibility was unlikely.
The level of information currently available “is not enough to definitely identify any particular cause of the spam messages, since such information is easily replicable,” Kevin Mahaffey, CTO of Lookout Mobile Security, wrote Thursday on the company blog. For the botnet explanation to be valid, all the devices would have to be infected with some type of malware, and no one has yet detected a strain.
However, Lookout’s investigation uncovered “a number of issues” with the Yahoo Mail app “that have potentially broader implications for all Android users of Yahoo Mail,” Mahaffey wrote. Yahoo has been notified, and Lookout recommends users uninstall the app for the time being.
Yahoo did not respond to requests for comment.
Both Mahaffey and Doherty said they believe the spammers are using these techniques to evade filters, but that they are not a sign of a spam botnet. It could be possible that the mail app had a significant design flaw that allowed the app to send mail in the background, but that was unlikely, Doherty said.
However, if claims of the botnet turn out to be true, the consequences to the victims appear to be only financial, experts said. Sending thousands of spam messages off a mobile device would result in higher data traffic and a more costly phone bill.
This also highlights the risk of downloading applications from unauthorized sites instead of the official Google Play store, Neil Roiter, research director of Corero Network Security, told SCMagazine.com.
While Google has been taking steps to keep rogue applications out of the app market, with initiatives such as Bouncer, “it stands to reason that Google cannot protect users who opt to download applications from non-sanctioned sites,” Roiter said.