Android Botnet Seen Spewing Spam - InformationWeek
12:28 PM

Android Botnet Seen Spewing Spam

If true, it's the first time Android devices have been hijacked by malware, turned into botnet nodes, and made to churn out spam.

Call it a malware first: A security researcher said he's spotted a botnet that's using exploited Android devices to send spam emails, in this case via Yahoo email servers.

"We've all heard the rumors, but this is the first time I have seen it--a spammer has control of a botnet that lives on Android devices. These devices log in to the user's Yahoo Mail account and send spam," said Microsoft researcher Terry Zink on his blog.

All of the messages appear to have been sent via compromised Yahoo accounts, said Zink. "Luckily, Yahoo stamps the IP address in the headers of where the device connected to its service. I looked up where the IPs are geo-located: Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela," he said. According to Zink, people in those countries would be less likely to procure their Android apps from the official Google Play market, which automatically scans apps to ensure they're safe, and from which Google also rapidly excises any fraudulent apps.

In other words, Zink didn't suggest that the spam-spewing botnet that appeared to have exploited Android devices was Google's fault, but more likely caused by users seeking free applications via third-party application stores. "I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for. Either that or they acquired a rogue Yahoo Mail app," he said.

[ Learn more about potential Android security flaws. See Android Researchers Demo Clickjacking Rootkit Vulnerability. ]

Security experts have long warned Android users to steer clear, whenever possible, of unofficial Android app outlets. "The report that we are seeing spam from a botnet of hijacked Android phones for the first time highlights the risk of downloading applications from unauthorized sites, rather than the official Android Market," said Neil Roiter, research director or Corero Network Security, via email. "Google is making efforts to keep rogue applications from the Android Market. However, it stands to reason that Google cannot protect users who opt to download applications from non-sanctioned sites."

Reached by email, a Google spokesman disputed Zink's findings. "The evidence does not support the Android botnet claim. Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using," he said.

Zink, of course, works for Microsoft. Devices that run Microsoft's Windows Phone 7--and forthcoming Windows Phone 8 mobile operating systems compete with devices that run Android.

Why would attackers bother to send spam using Android devices? According to Zink, such a strategy would make it more difficult for Web mail providers to spot the spam. "This ups the ante for spam filters," he said. "If people download malicious apps onto their phone that capture keystrokes for their email software, it makes it way easier for spammers to send abusive mail. This is the next evolution in the cat-and-mouse game that is email security."

Might attackers, however, have simply thrown in some Android signs as a ruse? In response to a question--posted to his blog--about whether the email header information could have been faked, Zink responded: "Unless they managed to create the Message-ID header and Yahoo did not rewrite, and they inserted 'Sent from Yahoo! Mail for Android' as a diversion, the messages definitely came from Yahoo, as they all follow the same format that Yahoo follows."

Another poster noted that "headers that we've seen contain X originating IPs which resolve to," saying that it "looks like a mobile device to me." The X-Originating-IP email header tag shows the IP address of the email sender.

One commenter, however, suggested that the attacks could simply be "a botnet which has circumvented the Yahoo Android sign-up API to create new accounts, rather than those being people's actual email addresses." In other words, attackers may have used exploited PCs to send spam via Yahoo's Android API, and included a "sent from Android" signature in the spam to help trick Yahoo's spam filters.

But Graham Cluley, senior technology consultant at Sophos, told the BBC that, based on the available evidence, it did appear that the spam had been sent from exploited Android devices, which would make such an attack a real-world first.

"We've seen it done experimentally to prove that it's possible by researchers, but not done by the bad guys," he said. "The best thing you can do right now is upgrade your operating system, if that's possible ... and before you install apps onto your device, look at the reviews, because there are many bogus apps out there."

[Editor's note: Story updated to reflect Google's response.]

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
IT Joe
IT Joe,
User Rank: Apprentice
7/5/2012 | 8:22:04 PM
re: Android Botnet Seen Spewing Spam
This article caught my eye because my android phone starting acting really strange after I got a text message from my wife with a link in it. I clicked the link because she said there was a cool app that I should look at, and it took me to Google Play and ask me to accept and install this app. Right now, I don't remember what the app was but as soon as I saw this app wanted a ton of permissions that I would never allow an app to have, I backed out of it. However, I began to notice that my Yahoo!Mail app was running at 63% cpu usage and my phone was running like crap. I could barely use the phone as it was so unresponsive. I begin to look at the services that were running and nothing was running that should not have been and nothing was using more than 1% cpu other than the yahoo app. I uninstalled the app, downloaded and reinstall, and it was still doing it. I decided to reimage the phone in order to get the phone to work right after that. Once I reimaged I reinstalled the yahoo mail app and everything worked fine after that. This happened about 3 or 4 weeks ago, no problems since. I have since wondered what exactly had happened on the phone that caused Yahoo mail app to act that way, and now I suspect I was probably infected with this exact malware. Keep in mind, I got this from Google Play, not a third party download.
User Rank: Apprentice
7/5/2012 | 5:08:12 PM
re: Android Botnet Seen Spewing Spam
This doesnt start off sounding fishy at all Gǣa mircosoft reasearcherGǥ no MS has nothing to gain by making android look bad. And then this gem GǣSecurity expert Graham Cluley, from anti-virus firm Sophos, said it was highly likely the attacks originated from Android devices, given all available information, BUT THIS COULD NOT BE PROVEN.Gǥ Wait what it hasnt been proven to come from android phones? REALLY? And then we learn even it it is happening its people in the third world SIDE LOADING PIRATED APPS. So as usual its not an android security flaw but a bunch of morons who may or may not have installed a supposed maleware wich came as a payload on sideloade pirated software. LOL
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Register for InformationWeek Newsletters
White Papers
Current Issue
Cybersecurity Strategies for the Digital Era
At its core, digital business relies on strong security practices. In addition, leveraging security intelligence and integrating security with operations and developer teams can help organizations push the boundaries of innovation.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll