Last week, researchers from Microsoft and Sophos claimed that they had uncovered a botnet involving Android mobile phones and comproised Yahoo Email accounts.
On Tuesday, Microsoft’s Terry Zink blogged that he had seen spam coming from compromised Yahoo Email accounts with a Message ID indicating that it was sent from Android devices. “We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices”, he wrote.
On Wednesday, Chester Wisniewski noted that SophosLabs had uncovered a spam campaign that appeared “to originate from compromised Google Android smartphones or tablets. All of the samples at SophosLabs have been sent through Yahoo!'s free mail service and contain correct headers and DKIM signatures.”
But Google vehemently disputed the researchers’ claims. “The evidence we’ve examined does not support the Android botnet claim. Our analysis so far suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they’re using. We’re continuing to investigate the details”, the company said in a statement obtained by the Wall Street Journal.
Kevin Mahaffey, chief technology officer with Lookout, also questioned the Android botnet claim: “A more likely explanation for this behavior appears to be insecure Android applications. In order for the botnet explanation to be valid, each of the originating devices would have to be infected with mobile malware. While this is certainly a possibility (and one that we can’t refute), there is another explanation that we believe is significantly more likely. After taking a detailed look at the [Yahoo Mail Android] app, we’ve found a number of issues that have potentially broader implications for all Android users of Yahoo! Mail.”
In response to Google’s criticism, Zink admitted that the Message IDs could have been spoofed. “It’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the message-ID thus overriding Yahoo’s own Message-IDs and added the 'Yahoo Mail for Android' tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices.”
Zink added, “the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices.”
Wisniewski said that SophosLabs has found “no evidence” that the Message-IDs are forged. “The messages are delivered to our spam traps from genuine Yahoo! servers with valid DKIM signatures….The Message-IDs are all valid for the Yahoo! mailers sending them as well. It would not be possible to spoof this information externally.”
“I agree with Terry Zink at Microsoft that the evidence suggests it is Android malware and there isn't a good reason to think that pretending it is from Yahoo! via Android devices is of any benefit to the spammers”, he concluded.