"We've all heard the rumors, but this is the first time I have seen it--a spammer has control of a botnet that lives on Android devices. These devices log in to the user's Yahoo Mail account and send spam," said Microsoft researcher Terry Zink on his blog.
All of the messages appear to have been sent via compromised Yahoo accounts, said Zink. "Luckily, Yahoo stamps the IP address in the headers of where the device connected to its service. I looked up where the IPs are geo-located: Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela," he said. According to Zink, people in those countries would be less likely to procure their Android apps from the official Google Play market, which automatically scans apps to ensure they're safe, and from which Google also rapidly excises any fraudulent apps.
In other words, Zink didn't suggest that the spam-spewing botnet that appeared to have exploited Android devices was Google's fault, but more likely caused by users seeking free applications via third-party application stores. "I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for. Either that or they acquired a rogue Yahoo Mail app," he said.
[ Learn more about potential Android security flaws. See Android Researchers Demo Clickjacking Rootkit Vulnerability. ]
Security experts have long warned Android users to steer clear, whenever possible, of unofficial Android app outlets. "The report that we are seeing spam from a botnet of hijacked Android phones for the first time highlights the risk of downloading applications from unauthorized sites, rather than the official Android Market," said Neil Roiter, research director or Corero Network Security, via email. "Google is making efforts to keep rogue applications from the Android Market. However, it stands to reason that Google cannot protect users who opt to download applications from non-sanctioned sites."
Reached by email, a Google spokesman disputed Zink's findings. "The evidence does not support the Android botnet claim. Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using," he said.
Why would attackers bother to send spam using Android devices? According to Zink, such a strategy would make it more difficult for Web mail providers to spot the spam. "This ups the ante for spam filters," he said. "If people download malicious apps onto their phone that capture keystrokes for their email software, it makes it way easier for spammers to send abusive mail. This is the next evolution in the cat-and-mouse game that is email security."
Might attackers, however, have simply thrown in some Android signs as a ruse? In response to a question--posted to his blog--about whether the email header information could have been faked, Zink responded: "Unless they managed to create the Message-ID header and Yahoo did not rewrite, and they inserted 'Sent from Yahoo! Mail for Android' as a diversion, the messages definitely came from Yahoo, as they all follow the same format that Yahoo follows."
Another poster noted that "headers that we've seen contain X originating IPs which resolve to gprs-client-126.96.36.199.misp.ru," saying that it "looks like a mobile device to me." The X-Originating-IP email header tag shows the IP address of the email sender.
One commenter, however, suggested that the attacks could simply be "a botnet which has circumvented the Yahoo Android sign-up API to create new accounts, rather than those being people's actual email addresses." In other words, attackers may have used exploited PCs to send spam via Yahoo's Android API, and included a "sent from Android" signature in the spam to help trick Yahoo's spam filters.
But Graham Cluley, senior technology consultant at Sophos, told the BBC that, based on the available evidence, it did appear that the spam had been sent from exploited Android devices, which would make such an attack a real-world first.
"We've seen it done experimentally to prove that it's possible by researchers, but not done by the bad guys," he said. "The best thing you can do right now is upgrade your operating system, if that's possible ... and before you install apps onto your device, look at the reviews, because there are many bogus apps out there."
[Editor's note: Story updated to reflect Google's response.]