Android botnet claim in dispute

Researchers at Microsoft and Sophos say they believe malware-infected Android phones are sending spam via Yahoo Mail accounts as part of a botnet, but Google and mobile firm Lookout say there could be other explanations.

Terry Zink, a program manager for Microsoft Forefront Online Security, said in a blog post two days ago that he had found some spam samples that had this Message-ID:

"<1341147286.19774.androidMobile@web140302.mail.bf1.yahoo.com>."

That was followed by speculation from Chester Wisniewski at Sophos, who wrote in a blog post today: "It is likely that Android users are downloading Trojanized pirated copies of paid Android applications. The samples we analyzed originated in Argentina, Ukraine, Pakistan, Jordan and Russia. The widespread nature of source devices is unusual as most Android malware is not downloaded from Google Play, but localized "off market" download sites."

Zink then wrote an updated post today that acknowledged that the spam headers could be spoofed to look like they originate on Android devices.

"Yes, it's entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo's own Message-IDs and added the 'Yahoo Mail for Android' tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices," he wrote today. "On the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices."

A Google spokesman provided this statement: "The evidence does not support the Android botnet claim. Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using."

Lookout Chief Technology Officer Kevin Mahaffey told CNET that: "Based on our research we have not seen any evidence of an active botnet. There are a number of alternate explanations that we're currently investigating."

And a Yahoo spokeswoman said only that "We are currently investigating the claims of a potential malware compromise operating as a botnet."

We'll let you know when the mystery is solved.

Update, July 6, 9:03 a.m. PT: In a blog post, Lookout said it is easy to spoof spam headers and message footers and that a more likely explanation involved the Yahoo Mail Android app.

"Regardless of how this spam campaign works, it was clear from initial reports that the Yahoo! Mail Android app may play a key role. After taking a detailed look at the app, we've found a number of issues that have potentially broader implications for all Android users of Yahoo! Mail. In the interest of responsible disclosure, we cannot at this time provide details around such vulnerabilities. We've reached out to Yahoo! with this information and they have acknowledged that their mobile team is actively working on these issues."

Update, July 6, 12:25 p.m. PT: A Yahoo representative provided this statement in response to Lookout's comments: "While our investigation into claims of a potential malware compromise operating as a botnet is ongoing, we can confirm that there is not a problem with our official Yahoo Mail app for Android and there is no reason for users to uninstall the app."