Android Botnet Seen Spewing Spam - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Android Botnet Seen Spewing Spam

If true, it's the first time Android devices have been hijacked by malware, turned into botnet nodes, and made to churn out spam.

Call it a malware first: A security researcher said he's spotted a botnet that's using exploited Android devices to send spam emails, in this case via Yahoo email servers.

"We've all heard the rumors, but this is the first time I have seen it--a spammer has control of a botnet that lives on Android devices. These devices log in to the user's Yahoo Mail account and send spam," said Microsoft researcher Terry Zink on his blog.

All of the messages appear to have been sent via compromised Yahoo accounts, said Zink. "Luckily, Yahoo stamps the IP address in the headers of where the device connected to its service. I looked up where the IPs are geo-located: Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela," he said. According to Zink, people in those countries would be less likely to procure their Android apps from the official Google Play market, which automatically scans apps to ensure they're safe, and from which Google also rapidly excises any fraudulent apps.

In other words, Zink didn't suggest that the spam-spewing botnet that appeared to have exploited Android devices was Google's fault, but more likely caused by users seeking free applications via third-party application stores. "I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for. Either that or they acquired a rogue Yahoo Mail app," he said.

[ Learn more about potential Android security flaws. See Android Researchers Demo Clickjacking Rootkit Vulnerability. ]

Security experts have long warned Android users to steer clear, whenever possible, of unofficial Android app outlets. "The report that we are seeing spam from a botnet of hijacked Android phones for the first time highlights the risk of downloading applications from unauthorized sites, rather than the official Android Market," said Neil Roiter, research director or Corero Network Security, via email. "Google is making efforts to keep rogue applications from the Android Market. However, it stands to reason that Google cannot protect users who opt to download applications from non-sanctioned sites."

Reached by email, a Google spokesman disputed Zink's findings. "The evidence does not support the Android botnet claim. Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using," he said.

Zink, of course, works for Microsoft. Devices that run Microsoft's Windows Phone 7--and forthcoming Windows Phone 8 mobile operating systems compete with devices that run Android.

Why would attackers bother to send spam using Android devices? According to Zink, such a strategy would make it more difficult for Web mail providers to spot the spam. "This ups the ante for spam filters," he said. "If people download malicious apps onto their phone that capture keystrokes for their email software, it makes it way easier for spammers to send abusive mail. This is the next evolution in the cat-and-mouse game that is email security."

Might attackers, however, have simply thrown in some Android signs as a ruse? In response to a question--posted to his blog--about whether the email header information could have been faked, Zink responded: "Unless they managed to create the Message-ID header and Yahoo did not rewrite, and they inserted 'Sent from Yahoo! Mail for Android' as a diversion, the messages definitely came from Yahoo, as they all follow the same format that Yahoo follows."

Another poster noted that "headers that we've seen contain X originating IPs which resolve to," saying that it "looks like a mobile device to me." The X-Originating-IP email header tag shows the IP address of the email sender.

One commenter, however, suggested that the attacks could simply be "a botnet which has circumvented the Yahoo Android sign-up API to create new accounts, rather than those being people's actual email addresses." In other words, attackers may have used exploited PCs to send spam via Yahoo's Android API, and included a "sent from Android" signature in the spam to help trick Yahoo's spam filters.

But Graham Cluley, senior technology consultant at Sophos, told the BBC that, based on the available evidence, it did appear that the spam had been sent from exploited Android devices, which would make such an attack a real-world first.

"We've seen it done experimentally to prove that it's possible by researchers, but not done by the bad guys," he said. "The best thing you can do right now is upgrade your operating system, if that's possible ... and before you install apps onto your device, look at the reviews, because there are many bogus apps out there."

[Editor's note: Story updated to reflect Google's response.]

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
IT Joe
IT Joe,
User Rank: Apprentice
7/5/2012 | 8:22:04 PM
re: Android Botnet Seen Spewing Spam
This article caught my eye because my android phone starting acting really strange after I got a text message from my wife with a link in it. I clicked the link because she said there was a cool app that I should look at, and it took me to Google Play and ask me to accept and install this app. Right now, I don't remember what the app was but as soon as I saw this app wanted a ton of permissions that I would never allow an app to have, I backed out of it. However, I began to notice that my Yahoo!Mail app was running at 63% cpu usage and my phone was running like crap. I could barely use the phone as it was so unresponsive. I begin to look at the services that were running and nothing was running that should not have been and nothing was using more than 1% cpu other than the yahoo app. I uninstalled the app, downloaded and reinstall, and it was still doing it. I decided to reimage the phone in order to get the phone to work right after that. Once I reimaged I reinstalled the yahoo mail app and everything worked fine after that. This happened about 3 or 4 weeks ago, no problems since. I have since wondered what exactly had happened on the phone that caused Yahoo mail app to act that way, and now I suspect I was probably infected with this exact malware. Keep in mind, I got this from Google Play, not a third party download.
User Rank: Apprentice
7/5/2012 | 5:08:12 PM
re: Android Botnet Seen Spewing Spam
This doesnt start off sounding fishy at all Gǣa mircosoft reasearcherGǥ no MS has nothing to gain by making android look bad. And then this gem GǣSecurity expert Graham Cluley, from anti-virus firm Sophos, said it was highly likely the attacks originated from Android devices, given all available information, BUT THIS COULD NOT BE PROVEN.Gǥ Wait what it hasnt been proven to come from android phones? REALLY? And then we learn even it it is happening its people in the third world SIDE LOADING PIRATED APPS. So as usual its not an android security flaw but a bunch of morons who may or may not have installed a supposed maleware wich came as a payload on sideloade pirated software. LOL
Augmented Analytics Drives Next Wave of AI, Machine Learning, BI
Jessica Davis, Senior Editor, Enterprise Apps,  3/19/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Flash Poll