Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

A bit more on that spam from an Android botnet

A bit more on that spam from an Android botnet

Rate This
  • Comments 19

A quick follow up on my previous post about spam from an Android botnet, there are a few things I need to point out:

  • Sophos discovered the same thing on their Naked Security blog:

    The messages appear to originate from compromised Google Android smartphones or tablets. All of the samples at SophosLabs have been sent through Yahoo!'s free mail service and contain correct headers and SPF signatures.

    This is the same evidence that I found.

    It is likely that Android users are downloading Trojanized pirated copies of paid Android applications. The samples we analyzed originated in Argentina, Ukraine, Pakistan, Jordan and Russia.

  • The BBC picked up the story and got some comments from Graham Cluley of Sophos where he says:
  • Security expert Graham Cluley, from anti-virus firm Sophos, said it was highly likely the attacks originated from Android devices, given all available information, but this could not be proven.

    That’s true.

    This was the first time smartphones had been exploited in this way, he said. "We've seen it done experimentally to prove that it's possible by researchers, but not done by the bad guys," he told the BBC. "We are seeing a lot of activity from cybercriminals on the Android platform.

  • In comments of various blogs a lot of people have suggested that these headers are spoofed, or there was a botnet connecting to Yahoo Mail from a Windows PC and sent mail that way.  Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices.

    On the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices.

    Before writing my previous post, I considered both options but selected the latter.


Those are the things I wanted to add.

Leave a Comment
  • Please add 4 and 4 and type the answer here:
  • Post
  • Thanks for writing this update, Terry Zink. It is likely, but not proven that Android devices (or rather, Android apps running on Android devices) are the cause. Since it hasn't been proven though, a follow-up to your July 3 post was a good idea!

    A few more things to keep in mind:

    1) Google is not available for comment as offices are closed from July 4 through July 6. Once open again, I would expect a response.

    2) Trend Micro's detailed report advises users

    "to be aware that Android is an open ecosystem where the level of vetting of applications before they are allowed on Google Play is minimal, therefore the site carries more risk than the more tightly controlled Apple App Store."

    That is a suggestion, a sensible one, but not an indictment. Better yet, here's the link to the July 2 report

    www.trendmicro.co.uk/.../the-true-face-of-the-android-threat

    3) An argument against a bot net connecting to Yahoo! mail, header spoofing and so on: I am fairly confident that Yahoo! monitors outbound email for spam. Wouldn't Yahoo! have caught this sort of activity if it was sent out directly from Yahoo! mail servers?

  • > Wouldn't Yahoo! have caught this sort of activity if it was sent out

    > directly from Yahoo! mail servers?

    Yahoo does monitor outbound spam, but this is a cat-and-mouse game. All the major webmail providers continually monitor their traffic but spammers are forever compromising accounts, all the time trying to stay one step ahead.

  • To support your previous post, have you tried to send mail from an Android device through Yahoo Mail, and verified that the mail had the same features you pointed out in the post?

  • @Chih-Cherng

    The Yahoo! mail app on android has exactly these features.

  • I do not understand the criticism against Android for allowing users to install apps from third party sources. Windows OS allows the same and faces a massive malware problem. Why is it ok for a Desktop OS to be open but mobile OS to be closed? Are you trying to say that Windows OS should get locked down as well like Windows Phone platform?

  • @Just One Question: I'm not saying that Google is either right or wrong with their model. Microsoft (and Apple) have chosen a closed model, while Google has chosen an open model. Both have their advantages, and both have their drawbacks.

    I've written in the past about what Android threats look like:

    blogs.msdn.com/.../what-android-threats-look-like.aspx

    And I have written how Google combats abuse of their platform:

    blogs.msdn.com/.../how-google-is-fighting-back-against-android-threats.aspx

    They put in a lot of hard work and effort to ensure that their users stay protected. However, malware writers are also hard at work, trying to take advantage of this consumer shift away from PCs to phones and tablets.

  • Well you just look like a complete fool... well done. I'm not sure you have sufficiently explained why you chose the latter option rather than thinking that the emails might simply be using spoofed headers.

    If you were aware that this is a possibility, why not actually investigate this? I don't see the slightest hint of proof that these messages were coming from any mobile devices, nor any effort to even try to gather proof. This is some straight up mud-slinging, and what little reputation you may have had is surely suffering for it.

  • Great fud camppaing from MS. usless "researcher" claiming without knowing.

  • Nice FUD campaign, Microsofties! LOL, LOL, LOL

    Fail on Elops, Ballmers, et al.

  • The problem is that you are looking for a specific cause because of your employer, therefore we need to take your claims with a pinch of salt.

  • Nice viral marketing for windows phone.

  • "On the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices."

    Sure, it's at least a reasonable hypothesis. You did however make the following statement:

    "All of these message are sent from Android devices.  We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices."

    So how did you get from the possibility to the definitive statement that they definitely came from Android devices and that you'd discovered a botnet?

  • (Hope this doesn't double-post)

    Wow! I am certainly no friend of Microsoft - in every company I've worked in I attack them mercilessly almost every day (I'm the "Anti-Microsoft guy"). Terry Zink is absolutely NOT a MS apologist! Read this blog and you will see that he is one of the most balanced and technology neutral bloggers you will come across (and also a legend btw!). I frequently ask myself why his bosses don't reprimand him for not towing the line more!

  • Doesn't MS have enough problems of their own they should be spending time researching and fixing.

  • Well, you guys certainly would know what a freakin' botnet look like, right?

Page 1 of 2 (19 items) 12