Is there really an Android botnet sending out spam?
Yesterday, I wrote about evidence that suggested the existence of an Android botnet which was under control of spammers and is being used to send out spam via Yahoo! Mail. The accusation came from Terry Zink over at Microsoft.
Of course, once Google heard about this, they weren’t too happy! The creators of Android issued the following statement: “The evidence does not support the Android botnet claim. Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they’re using.” So the question is who is right?
In light of the “scandal”, Terry has written another blog post defending his position. He quotes from Sophos’ Naked Security blog where Chester Wisniewski wrote “The messages appear to originate from compromised Google Android smartphones or tablets. All of the samples at SophosLabs have been sent through Yahoo!’s free mail service and contain correct headers and SPF signatures.” Chester concluded that “It is likely that Android users are downloading Trojanized pirated copies of paid Android applications. The samples we analyzed originated in Argentina, Ukraine, Pakistan, Jordan and Russia.”
So if this isn’t a botnet, what is happening? One possible alternative is that the spammers have intentionally added the “Sent from Yahoo! Mail on Android” tagline at the bottom of the messages, in an attempt to make the spam look like it was coming from Android devices and so fool the spam filters used by the likes of Yahoo! and Google.
What we know and what we don’t know
The missing link in all of this is the actual malware itself. For a botnet to exist, the devices used by the spammers need to be remotely controlled, which means they have to be infected with malware that a) lets the device receive commands from a command-and-control server b) has built-in Yahoo! Mail spamming abilities. To date, no one, not Sophos, not Microsoft, not Google has a copy of this malware. If one of the big anti-virus companies find it then that will be conclusive proof.
But what we do know is that the “Sent from Yahoo! Mail on Android” spam mainly comes from Russia and the Ukraine (some 43%) and another 25% comes from Latin American countries. For “normal” Yahoo! Mail spam, less than 1% comes from Russia and Ukraine, 48% comes from Asian countries and 32% from Latin American countries. So these figures don’t match and the Android spam is disproportionally high for Russia. This then lends credence to the idea of malware which has infected devices where the Google Play store isn’t ubiquitously used.
Others are now also jumping into the foray. “Based on our research we have not seen any evidence of an active botnet. There are a number of alternate explanations that we’re currently investigating,” Lookout Chief Technology Officer Kevin Mahaffey told CNET. While Yahoo! are reported as saying only that they “are currently investigating the claims of a potential malware compromise operating as a botnet.”
So the evidence isn’t conclusive one way or the other. When we have a definitive answer, I will let you know.