Just a short while ago we reported on claims that some Android devices were spamming via a botnet of rogue handsets. The news came via a Microsoft blog post, which showed how spam emails had “Sent from Yahoo! Mail on Android” in the text and “androidMobile” in the Message ID.
We’ve been since been contacted by the guys at Lookout mobile security about this. Kevin Mahaffey, CTO and co-founder of Lookout, told us..
A more likely explanation for this behaviour appears to be insecure Android applications. In order for the botnet explanation to be valid, each of the originating devices would have to be infected with mobile malware. While this is certainly a possibility (and one that we can’t refute), there is another explanation that we believe is significantly more likely.
Regardless of how this spam campaign works, it was clear from initial reports that the Yahoo! Mail Android app may play a key role. After taking a detailed look at the app, we’ve found a number of issues that have potentially broader implications for all Android users of Yahoo! Mail. In the interest of responsible disclosure, we cannot at this time provide details around such vulnerabilities. We’ve reached out to Yahoo! with this information and they have acknowledged that their mobile team is actively working on these issues.
Google have now also disputed the evidence, saying that there was nothing to support the Microsoft blog claim. Although Lookout have found some issues with the Yahoo! Mail Android app, Google are of the opinion that the mail have been altered to look like they were sent from Android phones, possibly to get round spam checkers.
Google state that..
Our analysis suggests that spammers are using infected computers and a fake mobile signature to try and bypass anti-spam mechanisms in the email platform.
A new post has now appeared on MSDN which accepts that forging the mail signature was “entirely possible”.
More needs to be done about this, including research into whether spam is being sent from IP addresses owned by mobile networks. There’s also an element of mud-slinging as Microsoft are keen to dent the success of the Android platform and vice-versa, but currently there doesn’t seem to be concrete evidence of a large-scale Android botnet.