Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Spam from an Android botnet

Spam from an Android botnet

Rate This
  • Comments 36

I came across some interesting spam samples today.

The messages all come from Yahoo Mail servers.  They are all from compromised Yahoo accounts.  They are sending all stock spam, the typical pump and dump variety that we’ve seen for years.

But what is interesting about them is that they all contain the following Message-ID:

Message-ID: <1341147286.19774.androidMobile@web140302.mail.bf1.yahoo.com>

Furthermore, they all have the following at the bottom of their spam:

Sent from Yahoo! Mail on Android

All of these message are sent from Android devices.  We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices.  These devices login to the user’s Yahoo Mail account and send spam.

Luckily, Yahoo stamps the IP address in the headers of where the device connected to its service.  I looked up where the IPs are geo-located: Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela.

What’s unusual about these countries?

I’ve written in the past that Android has the most malware compared to other smartphone platforms, but your odds of downloading and installing a malicious Android app is pretty low if you get it from the Android Marketplace.  But if you get it from some guy in a back alley on the Internet, the odds go way up.

I’ve also written that users in the developed world usually have better security practices and fewer malware infections than users in the developing world.  Where are almost all of those countries in the list above?  Mostly in the developing world.

I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for.  Either that or they acquired a rogue Yahoo Mail app.

This ups the ante for spam filters.  If people download malicious apps onto their phone that capture keystrokes for their email software, it makes it way easier for spammers to send abusive mail.  This is the next evolution in the cat-and-mouse game that is email security.

Leave a Comment
  • Please add 6 and 5 and type the answer here:
  • Post
  • Did Yahoo! create a really insecure Android app where it's creds are easily lifted, or do Hotmail and gMail also suffer from this, but they block the spam before it's sent?

  • I got this as well in my inbox, promoting "VIBE.PK"

  • Couldn't that header be faked, or does Yahoo enforce this information, and you've verified the messages were received from Yahoo?

  • @Michael:

    Unless they managed to create the Message-ID header and Yahoo did not rewrite, and they inserted "Sent from Yahoo! Mail for Android" as a diversion, the messages definitely came from Yahoo, as they all follow the same format that Yahoo follows.

  • Here are some sample headers:

    Received: from nm28-vm6.bullet.mail.ne1.yahoo.com ( by CO1EHSMHS003.bigfish.com ( with Microsoft SMTP Server id; Sat, 30 Jun 2012 23:22:47 +0000

    Received: from [] by nm28.bullet.mail.ne1.yahoo.com with NNFMP; 30 Jun 2012 23:24:40 -0000

    Received: from [] by tm1.bullet.mail.ne1.yahoo.com with NNFMP; 30 Jun 2012 23:24:40 -0000

    Received: from [] by omp1009.mail.ne1.yahoo.com with NNFMP; 30 Jun 2012 23:24:40 -0000

    Received: from [redacted] by web121406.mail.ne1.yahoo.com via HTTP; Sat,

    30 Jun 2012 16:24:40 PDT

  • ooh the non-existent NNFMP header,

  • wtf? You cannot be serious about this? My german gf, her family and friends have a mess 24/7, just like some of my mexican friends. All my US friends report their omas and so on having the same thing. I don't know how you figure "developed" countries (apart from the strange mix you threw in there of what you consider developing or not, hehe) have better security practices. In general, no one understands anything about security, do you realize the % of people in the world with "good enough" security practices?

  • "If people download malicious apps onto their phone that capture keystrokes for their email software" -- No need to download anything, HTC firmware already logs all hardware keyboard input and sends the logfiles back to HTC.

    Proof: http://vimeo.com/36171967

  • Wow it didn't take much evidence to draw the conclusion you clearly wanted.

  • It is well known that spammers use Yahoo Mail's phone interfaces to spam through because there's less security and general random pages, advertisements and whatnot that will clog up your bot.

    You people are on a serious fishing expedition.

  • is this a botnet or just a infected device?

  • Thanks for another informative site. Where else could I get that type of information written in such an ideal way like this post.This post is really goregious.

  • This is spectacular! Simply put i appreciate reading your written content everytime I get feed alarm.


  • > The messages all come from Yahoo Mail servers.  They are all from compromised Yahoo accounts.

    With all of the samples I've seen, the Yahoo! email address follows the same format (FirstnameLastname followed be 2 numeric characters @yahoo.com). This would suggest it is simply a botnet which has circumvented the Yahoo! Android sign-up API to create new accounts rather than those being peoples actual email addresses.

  • Further proof - Headers that we've seen contain X originating IP's which resolve to gprs-client-  Looks like a mobile device to me.

Page 1 of 3 (36 items) 123