Google and Lookout see no evidence that Android devices are spewing spam as claimed.
Researchers at Microsoft and Sophos say they believe malware-infected Android phones are sending spam via Yahoo Mail accounts as part of a botnet, but Google and mobile firm Lookout say there could be other explanations.
Terry Zink, a program manager for Microsoft Forefront Online Security, said in a blog post two days ago that he had found some spam samples that had this Message-ID:
“<1341147286.19774.androidMobile@web140302.mail.bf1.yahoo.com>.”
That was followed by speculation from Chester Wisniewski at Sophos, who wrote in a blog post today: “It is likely that Android users are downloading Trojanized pirated copies of paid Android applications. The samples we analyzed originated in Argentina, Ukraine, Pakistan, Jordan and Russia. The widespread nature of source devices is unusual as most Android malware is not downloaded from Google Play, but localized “off market” download sites.”
Zink then wrote an updated post today that acknowledged that the spam headers could be spoofed to look like they originate on Android devices.
“Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the ‘Yahoo Mail for Android’ tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices,” he wrote today. “On the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices.”
A Google spokesman provided this statement: “The evidence does not support the Android botnet claim. Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they’re using.”
Lookout Chief Technology Officer Kevin Mahaffey told CNET that: “Based on our research we have not seen any evidence of an active botnet. There are a number of alternate explanations that we’re currently investigating.”
And a Yahoo spokeswoman said only that “We are currently investigating the claims of a potential malware compromise operating as a botnet.”
We’ll let you know when the mystery is solved.
