Spam from an Android botnet


I came across some interesting spam samples today.

The messages all come from Yahoo Mail servers.  They are all from compromised Yahoo accounts.  They are sending all stock spam, the typical pump and dump variety that we’ve seen for years.

But what is interesting about them is that they all contain the following Message-ID:

Message-ID: <1341147286.19774.androidMobile@web140302.mail.bf1.yahoo.com>

Furthermore, they all have the following at the bottom of their spam:

Sent from Yahoo! Mail on Android

All of these message are sent from Android devices.  We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices.  These devices login to the user’s Yahoo Mail account and send spam.

Luckily, Yahoo stamps the IP address in the headers of where the device connected to its service.  I looked up where the IPs are geo-located: Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela.

What’s unusual about these countries?

I’ve written in the past that Android has the most malware compared to other smartphone platforms, but your odds of downloading and installing a malicious Android app is pretty low if you get it from the Android Marketplace.  But if you get it from some guy in a back alley on the Internet, the odds go way up.

I’ve also written that users in the developed world usually have better security practices and fewer malware infections than users in the developing world.  Where are almost all of those countries in the list above?  Mostly in the developing world.

I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for.  Either that or they acquired a rogue Yahoo Mail app.

This ups the ante for spam filters.  If people download malicious apps onto their phone that capture keystrokes for their email software, it makes it way easier for spammers to send abusive mail.  This is the next evolution in the cat-and-mouse game that is email security.

Comments (36)

  1. jader3rd says:

    Did Yahoo! create a really insecure Android app where it's creds are easily lifted, or do Hotmail and gMail also suffer from this, but they block the spam before it's sent?

  2. michael says:

    I got this as well in my inbox, promoting "VIBE.PK"

  3. Michael says:

    Couldn't that header be faked, or does Yahoo enforce this information, and you've verified the messages were received from Yahoo?

  4. tzink says:

    @Michael:

    Unless they managed to create the Message-ID header and Yahoo did not rewrite, and they inserted "Sent from Yahoo! Mail for Android" as a diversion, the messages definitely came from Yahoo, as they all follow the same format that Yahoo follows.

  5. tzink says:

    Here are some sample headers:

    Received: from nm28-vm6.bullet.mail.ne1.yahoo.com (98.138.91.121) by CO1EHSMHS003.bigfish.com (10.243.66.13) with Microsoft SMTP Server id 14.1.225.23; Sat, 30 Jun 2012 23:22:47 +0000

    Received: from [98.138.90.48] by nm28.bullet.mail.ne1.yahoo.com with NNFMP; 30 Jun 2012 23:24:40 -0000

    Received: from [98.138.87.9] by tm1.bullet.mail.ne1.yahoo.com with NNFMP; 30 Jun 2012 23:24:40 -0000

    Received: from [127.0.0.1] by omp1009.mail.ne1.yahoo.com with NNFMP; 30 Jun 2012 23:24:40 -0000

    Received: from [redacted] by web121406.mail.ne1.yahoo.com via HTTP; Sat,

    30 Jun 2012 16:24:40 PDT

  6. Paul Baxter says:

    ooh the non-existent NNFMP header,

  7. Gerardo says:

    wtf? You cannot be serious about this? My german gf, her family and friends have a mess 24/7, just like some of my mexican friends. All my US friends report their omas and so on having the same thing. I don't know how you figure "developed" countries (apart from the strange mix you threw in there of what you consider developing or not, hehe) have better security practices. In general, no one understands anything about security, do you realize the % of people in the world with "good enough" security practices?

  8. swinteresting says:

    "If people download malicious apps onto their phone that capture keystrokes for their email software" — No need to download anything, HTC firmware already logs all hardware keyboard input and sends the logfiles back to HTC.

    Proof: http://vimeo.com/36171967

  9. RIoting Pacifist says:

    Wow it didn't take much evidence to draw the conclusion you clearly wanted.

  10. Jason K says:

    It is well known that spammers use Yahoo Mail's phone interfaces to spam through because there's less security and general random pages, advertisements and whatnot that will clog up your bot.

    You people are on a serious fishing expedition.

  11. Justan says:

    is this a botnet or just a infected device?

  12. Blog says:

    Thanks for another informative site. Where else could I get that type of information written in such an ideal way like this post.This post is really goregious.

  13. Blog Site says:

    This is spectacular! Simply put i appreciate reading your written content everytime I get feed alarm.

    http://janinepatterson.com/

  14. Paul Thomas says:

    > The messages all come from Yahoo Mail servers.  They are all from compromised Yahoo accounts.

    With all of the samples I've seen, the Yahoo! email address follows the same format (FirstnameLastname followed be 2 numeric characters @yahoo.com). This would suggest it is simply a botnet which has circumvented the Yahoo! Android sign-up API to create new accounts rather than those being peoples actual email addresses.

  15. Steve says:

    Further proof – Headers that we've seen contain X originating IP's which resolve to gprs-client-83.149.8.193.misp.ru.  Looks like a mobile device to me.

  16. Andy Watson says:

    Don't you feel it's a bit soon to be jumping to the conclusion that you've uncovered an Android-based botnet, when all you have is a bunch of pharma spam that may have originated from a mobile device?

    You state "this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices". Have you identified the C&C infrastructure behind this 'botnet'? If you've successfully intercepted these communications then please do provide some more background to back up your claims, otherwise this is nothing more than PR-driven scaremongering.

    I appreciate that you're probably keen to get your name circulated on technology news websites, but I can't help thinking that you would have been better off waiting until you identified some actual malicious code, if indeed it actually exists in the wild.

  17. me says:

    Hello, from Chile (from the developed world of Chile), I think maybe my iphone is sending spam via hotmail account (deleted it from my iphone ) is there any chance that it occurs?

    Regards from the developed world

  18. Крошка Гу says:

    Чего-то херня какая-то. Вы сами виноваты.

  19. Lilia says:

    Are you this desperate really? For someone who works at the company that has the most insecure OS ever to be invented. You come with claims " it might "  When we all know mail signatures can be forged?

  20. TaserVictim says:

    You're fired. Plan on a Vancouver Island vacation.

  21. Cristian says:

    Did you check that the ips ranges belongs to any cell phone provider????

  22. Sadie Story says:

    Time to get a new job? Maybe MS FUD department has something to offer?

  23. Sreejath says:

    The emails have a footer that says Sent from Yahoo! Mail on Android

    SO: All of these message are sent from Android devices

    Scintillating logic!

    So care to explain this?

    blogs.wsj.com/…/security-researchers-backtrack-on-android-malware-claim

  24. Dave says:

    just so peole here Know the facts as it didn't seem to be posted here 🙂

    plus.google.com/…/BqKvawfQVsf

    "This story is funny. Microsoft announced Android has a spam botnet blogs.msdn.com/…/spam-from-an-android-botnet.aspx and

    it turns out that the spam-sending botnet is on Windows PCs and using a fake "Sent from Android" signature."

  25. copolii says:

    You're a tool.

    They were sent from pcs.

  26. Rob says:

    "I’ve also written that users in the developed world usually have better security practices and fewer malware infections than users in the developing world."

    I think what you really wanted to write was: People in developing countries generally are dumb.

    Maybe they are, but probably they are not as dumb as you are!!

  27. Andy says:

    You really don't like Android, do you? Surprise. Try to be more objective and people will take you more seriously (excluding the press that just goes after juicy headlines).

  28. Babette says:

    I have a new Android Straight Talk cell, $140.00 It is hacked, bugged, spamed, or what ever you might want to call it. I know because I have fought with hackers on my pc in the past. "I think" Google is the problem, more so than yahoo. Everything on this "smart" phone goes through google!

  29. sam says:

    Well if they have a signature that says it, then it must be true.

  30. jcounsell says:

    this is hilarious, wow dude way to just jump to conclusions without the facts. i can say im sure you are not really in the IT field as we IT folk test the hell out of something before we report our findings. i tip my hat to you sir, well done…

  31. Pete Mitchell says:

    How is that gunshot wound to the foot feel, Terry?

  32. MicrosoftFUD says:

    Microsoft distracting the fact that their operating systems are the most infected in the world and are hosts to botnets?

  33. cain131281 says:

    My Android smart phone has been affected with an email virus. I constantly receive emails saying "mail delivery failure"All of the emails are sent, even though I have lookout on my phone. I dont use Yahoo mail.

  34. Not Surprised says:

    With such in-depth researchers and spot-on engineers like yourself, it's hard to imagine why your OS has any bugs at all! This is pathetic. Did you do anything other than look at a signature and a couple headers before jumping on an opportunity to make the competition who is absolutely crushing you look bad, or was that the intention all along? Keep up the quality work!

  35. John Banks says:

    My experience has been that its the Yahoo mail app on the Android device. Since removing the Yahoo mail app I have eliminated the problem. I have also written to Yahoo asking when they will re-issue the app without all teh access permissions so it the Android device can not be so easily hacked.

  36. arjun v says:

    looks like someones' android smartphone is sending me spam emails from Yahoo! Mail on Android app!

    the mail can be traced to "91.185.31.62" which apparently comes from a spammy neighborhood in Kazakhstan!

    the ip itself was detected to be infected with a spam sending trojan at 2012-07-09 16:00 GMT, approximately 20 hours ago, according to major cbls.

    hidden within the mail is this content:

    "It is more dangerous that you think in this country."humility, he said, "we should not die." I made the captain a although I had a very scanty allowance, being too great for a"

    the text is a reference to the books "Dracula Bram Stoker" and "Gulliver's Travels"!

    http://www.facebook.com/photo.php

Skip to main content