Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Spam from an Android botnet

Spam from an Android botnet

Rate This
  • Comments 36

I came across some interesting spam samples today.

The messages all come from Yahoo Mail servers.  They are all from compromised Yahoo accounts.  They are sending all stock spam, the typical pump and dump variety that we’ve seen for years.

But what is interesting about them is that they all contain the following Message-ID:

Message-ID: <1341147286.19774.androidMobile@web140302.mail.bf1.yahoo.com>

Furthermore, they all have the following at the bottom of their spam:

Sent from Yahoo! Mail on Android

All of these message are sent from Android devices.  We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices.  These devices login to the user’s Yahoo Mail account and send spam.

Luckily, Yahoo stamps the IP address in the headers of where the device connected to its service.  I looked up where the IPs are geo-located: Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela.

What’s unusual about these countries?

I’ve written in the past that Android has the most malware compared to other smartphone platforms, but your odds of downloading and installing a malicious Android app is pretty low if you get it from the Android Marketplace.  But if you get it from some guy in a back alley on the Internet, the odds go way up.

I’ve also written that users in the developed world usually have better security practices and fewer malware infections than users in the developing world.  Where are almost all of those countries in the list above?  Mostly in the developing world.

I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for.  Either that or they acquired a rogue Yahoo Mail app.

This ups the ante for spam filters.  If people download malicious apps onto their phone that capture keystrokes for their email software, it makes it way easier for spammers to send abusive mail.  This is the next evolution in the cat-and-mouse game that is email security.

Leave a Comment
  • Please add 4 and 5 and type the answer here:
  • Post
  • Don't you feel it's a bit soon to be jumping to the conclusion that you've uncovered an Android-based botnet, when all you have is a bunch of pharma spam that may have originated from a mobile device?

    You state "this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices". Have you identified the C&C infrastructure behind this 'botnet'? If you've successfully intercepted these communications then please do provide some more background to back up your claims, otherwise this is nothing more than PR-driven scaremongering.

    I appreciate that you're probably keen to get your name circulated on technology news websites, but I can't help thinking that you would have been better off waiting until you identified some actual malicious code, if indeed it actually exists in the wild.

  • Hello, from Chile (from the developed world of Chile), I think maybe my iphone is sending spam via hotmail account (deleted it from my iphone ) is there any chance that it occurs?

    Regards from the developed world

  • Чего-то херня какая-то. Вы сами виноваты.

  • Are you this desperate really? For someone who works at the company that has the most insecure OS ever to be invented. You come with claims " it might "  When we all know mail signatures can be forged?

  • You're fired. Plan on a Vancouver Island vacation.

  • Did you check that the ips ranges belongs to any cell phone provider????

  • Time to get a new job? Maybe MS FUD department has something to offer?

  • The emails have a footer that says Sent from Yahoo! Mail on Android

    SO: All of these message are sent from Android devices

    Scintillating logic!

    So care to explain this?


  • just so peole here Know the facts as it didn't seem to be posted here :-)


    "This story is funny. Microsoft announced Android has a spam botnet blogs.msdn.com/.../spam-from-an-android-botnet.aspx and

    it turns out that the spam-sending botnet is on Windows PCs and using a fake "Sent from Android" signature."

  • You're a tool.

    They were sent from pcs.

  • "I’ve also written that users in the developed world usually have better security practices and fewer malware infections than users in the developing world."

    I think what you really wanted to write was: People in developing countries generally are dumb.

    Maybe they are, but probably they are not as dumb as you are!!

  • You really don't like Android, do you? Surprise. Try to be more objective and people will take you more seriously (excluding the press that just goes after juicy headlines).

  • I have a new Android Straight Talk cell, $140.00 It is hacked, bugged, spamed, or what ever you might want to call it. I know because I have fought with hackers on my pc in the past. "I think" Google is the problem, more so than yahoo. Everything on this "smart" phone goes through google!

  • Well if they have a signature that says it, then it must be true.

  • this is hilarious, wow dude way to just jump to conclusions without the facts. i can say im sure you are not really in the IT field as we IT folk test the hell out of something before we report our findings. i tip my hat to you sir, well done...

Page 2 of 3 (36 items) 123