A bit more on that spam from an Android botnet

A quick follow up on my previous post about spam from an Android botnet, there are a few things I need to point out:

  • Sophos discovered the same thing on their Naked Security blog:

    The messages appear to originate from compromised Google Android smartphones or tablets. All of the samples at SophosLabs have been sent through Yahoo!’s free mail service and contain correct headers and SPF signatures.

    This is the same evidence that I found.

    It is likely that Android users are downloading Trojanized pirated copies of paid Android applications. The samples we analyzed originated in Argentina, Ukraine, Pakistan, Jordan and Russia.

  • The BBC picked up the story and got some comments from Graham Cluley of Sophos where he says:
  • Security expert Graham Cluley, from anti-virus firm Sophos, said it was highly likely the attacks originated from Android devices, given all available information, but this could not be proven.

    That’s true.

    This was the first time smartphones had been exploited in this way, he said. "We’ve seen it done experimentally to prove that it’s possible by researchers, but not done by the bad guys," he told the BBC. "We are seeing a lot of activity from cybercriminals on the Android platform.

  • In comments of various blogs a lot of people have suggested that these headers are spoofed, or there was a botnet connecting to Yahoo Mail from a Windows PC and sent mail that way.  Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices.

    On the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices.

    Before writing my previous post, I considered both options but selected the latter.

Those are the things I wanted to add.

Comments (19)

  1. Thanks for writing this update, Terry Zink. It is likely, but not proven that Android devices (or rather, Android apps running on Android devices) are the cause. Since it hasn't been proven though, a follow-up to your July 3 post was a good idea!

    A few more things to keep in mind:

    1) Google is not available for comment as offices are closed from July 4 through July 6. Once open again, I would expect a response.

    2) Trend Micro's detailed report advises users

    "to be aware that Android is an open ecosystem where the level of vetting of applications before they are allowed on Google Play is minimal, therefore the site carries more risk than the more tightly controlled Apple App Store."

    That is a suggestion, a sensible one, but not an indictment. Better yet, here's the link to the July 2 report


    3) An argument against a bot net connecting to Yahoo! mail, header spoofing and so on: I am fairly confident that Yahoo! monitors outbound email for spam. Wouldn't Yahoo! have caught this sort of activity if it was sent out directly from Yahoo! mail servers?

  2. tzink says:

    > Wouldn't Yahoo! have caught this sort of activity if it was sent out

    > directly from Yahoo! mail servers?

    Yahoo does monitor outbound spam, but this is a cat-and-mouse game. All the major webmail providers continually monitor their traffic but spammers are forever compromising accounts, all the time trying to stay one step ahead.

  3. Chih-Cherng says:

    To support your previous post, have you tried to send mail from an Android device through Yahoo Mail, and verified that the mail had the same features you pointed out in the post?

  4. none says:


    The Yahoo! mail app on android has exactly these features.

  5. Just One Question says:

    I do not understand the criticism against Android for allowing users to install apps from third party sources. Windows OS allows the same and faces a massive malware problem. Why is it ok for a Desktop OS to be open but mobile OS to be closed? Are you trying to say that Windows OS should get locked down as well like Windows Phone platform?

  6. tzink says:

    @Just One Question: I'm not saying that Google is either right or wrong with their model. Microsoft (and Apple) have chosen a closed model, while Google has chosen an open model. Both have their advantages, and both have their drawbacks.

    I've written in the past about what Android threats look like:


    And I have written how Google combats abuse of their platform:


    They put in a lot of hard work and effort to ensure that their users stay protected. However, malware writers are also hard at work, trying to take advantage of this consumer shift away from PCs to phones and tablets.

  7. lol says:

    Well you just look like a complete fool… well done. I'm not sure you have sufficiently explained why you chose the latter option rather than thinking that the emails might simply be using spoofed headers.

    If you were aware that this is a possibility, why not actually investigate this? I don't see the slightest hint of proof that these messages were coming from any mobile devices, nor any effort to even try to gather proof. This is some straight up mud-slinging, and what little reputation you may have had is surely suffering for it.

  8. fud says:

    Great fud camppaing from MS. usless "researcher" claiming without knowing.

  9. FUD says:

    Nice FUD campaign, Microsofties! LOL, LOL, LOL

    Fail on Elops, Ballmers, et al.

  10. Steve says:

    The problem is that you are looking for a specific cause because of your employer, therefore we need to take your claims with a pinch of salt.

  11. Alzie says:

    Nice viral marketing for windows phone.

  12. James Duncan says:

    "On the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices."

    Sure, it's at least a reasonable hypothesis. You did however make the following statement:

    "All of these message are sent from Android devices.  We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices."

    So how did you get from the possibility to the definitive statement that they definitely came from Android devices and that you'd discovered a botnet?

  13. (Hope this doesn't double-post)

    Wow! I am certainly no friend of Microsoft – in every company I've worked in I attack them mercilessly almost every day (I'm the "Anti-Microsoft guy"). Terry Zink is absolutely NOT a MS apologist! Read this blog and you will see that he is one of the most balanced and technology neutral bloggers you will come across (and also a legend btw!). I frequently ask myself why his bosses don't reprimand him for not towing the line more!

  14. RUBBA says:

    Doesn't MS have enough problems of their own they should be spending time researching and fixing.

  15. Momoto says:

    Well, you guys certainly would know what a freakin' botnet look like, right?

  16. Lachlan says:

    It is far more likely that someone ran packet capturing to see the http API used by yahoo for their android mail application, and wrote a simple program to send mail via that API, than that someone has a botnet on android phones installing yahoo's mail app, configuring it to use fraudulent accounts, and then driving it via the phone.

    Yahoo likely has less robust challenging/outbound filtering on the android API calls, due to less overall abuse, and general difficulties of handling those on a real phone.

  17. Observation says:

    Seems the Android bitches here have forgotten Occam's Razor.

  18. Gary says:

    I'm surprised that working for Microsoft you can't spot real or fake malware, after all no one has more experience of viruses/malware than Microsoft.

    Just drop it man, your reputation is now in tatters.

  19. Derry says:

    Could I hear your take on the HTTP usage in the yahoo app?

    I'm seeing people use it to attach your story but I'd like to hear it from your point of view.