I came across some interesting spam samples today.
The messages all come from Yahoo Mail servers. They are all from compromised Yahoo accounts. They are sending all stock spam, the typical pump and dump variety that we’ve seen for years.
But what is interesting about them is that they all contain the following Message-ID:
Furthermore, they all have the following at the bottom of their spam:
Sent from Yahoo! Mail on Android
All of these message are sent from Android devices. We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices. These devices login to the user’s Yahoo Mail account and send spam.
Luckily, Yahoo stamps the IP address in the headers of where the device connected to its service. I looked up where the IPs are geo-located: Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela.
What’s unusual about these countries?
I’ve written in the past that Android has the most malware compared to other smartphone platforms, but your odds of downloading and installing a malicious Android app is pretty low if you get it from the Android Marketplace. But if you get it from some guy in a back alley on the Internet, the odds go way up.
I’ve also written that users in the developed world usually have better security practices and fewer malware infections than users in the developing world. Where are almost all of those countries in the list above? Mostly in the developing world.
I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for. Either that or they acquired a rogue Yahoo Mail app.
This ups the ante for spam filters. If people download malicious apps onto their phone that capture keystrokes for their email software, it makes it way easier for spammers to send abusive mail. This is the next evolution in the cat-and-mouse game that is email security.