Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

A bit more on that spam from an Android botnet

A bit more on that spam from an Android botnet

Rate This
  • Comments 19

A quick follow up on my previous post about spam from an Android botnet, there are a few things I need to point out:

  • Sophos discovered the same thing on their Naked Security blog:

    The messages appear to originate from compromised Google Android smartphones or tablets. All of the samples at SophosLabs have been sent through Yahoo!'s free mail service and contain correct headers and SPF signatures.

    This is the same evidence that I found.

    It is likely that Android users are downloading Trojanized pirated copies of paid Android applications. The samples we analyzed originated in Argentina, Ukraine, Pakistan, Jordan and Russia.

  • The BBC picked up the story and got some comments from Graham Cluley of Sophos where he says:
  • Security expert Graham Cluley, from anti-virus firm Sophos, said it was highly likely the attacks originated from Android devices, given all available information, but this could not be proven.

    That’s true.

    This was the first time smartphones had been exploited in this way, he said. "We've seen it done experimentally to prove that it's possible by researchers, but not done by the bad guys," he told the BBC. "We are seeing a lot of activity from cybercriminals on the Android platform.

  • In comments of various blogs a lot of people have suggested that these headers are spoofed, or there was a botnet connecting to Yahoo Mail from a Windows PC and sent mail that way.  Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices.

    On the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices.

    Before writing my previous post, I considered both options but selected the latter.

Those are the things I wanted to add.

Leave a Comment
  • Please add 3 and 8 and type the answer here:
  • Post
  • It is far more likely that someone ran packet capturing to see the http API used by yahoo for their android mail application, and wrote a simple program to send mail via that API, than that someone has a botnet on android phones installing yahoo's mail app, configuring it to use fraudulent accounts, and then driving it via the phone.

    Yahoo likely has less robust challenging/outbound filtering on the android API calls, due to less overall abuse, and general difficulties of handling those on a real phone.

  • Seems the Android bitches here have forgotten Occam's Razor.

  • I'm surprised that working for Microsoft you can't spot real or fake malware, after all no one has more experience of viruses/malware than Microsoft.

    Just drop it man, your reputation is now in tatters.

  • Could I hear your take on the HTTP usage in the yahoo app?

    I'm seeing people use it to attach your story but I'd like to hear it from your point of view.



Page 2 of 2 (19 items) 12