Computer scientists have found proof of what likely is the world’s first across-the-board smartphone botnet that allegedly runs on compromised Android devices owned by subscribers from an extensive list of developing countries.
In a brief blog exposing claimed evidence, Terry Zink, a Program Manager for Microsoft Forefront Online Security, said he had found that pharma spam originating from Yahoo’s emailing service carried a controversial signature, “Sent from Yahoo! Mail on Android”, at the tail of every message.
An immediate checkup of the deep-rooted IP addresses indicated the spam came from (in alphabetical order) Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela.
Zink said, “All of these message are sent from Android devices. We’ve all heard the rumors, but this is the first time I have seen it — a spammer has control of a botnet that lives on Android devices. These devices log into the user’s Yahoo Mail account and send spam.”
The most probable reason was that compromised users downloaded and installed a rogue Android app from a third party mobile apps marketplace, he explained.
“I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for. Either that or they acquired a rogue Yahoo Mail app,” wrote Zink.
“This is the next evolution in the cat-and-mouse game that is email security,” he added, which pointed a finger to long existing concerns of malware creators who would take a shot in making mobile bots to accompany the vast multitude that made their way to infected Windows PCs.
Security Firm Confirms
Security firm Sophos confirmed Zink’s research that the spam came from authentic Yahoo accounts.
“It is likely that Android users are downloading Trojanized pirated copies of paid Android applications. The samples we analyzed originated in Argentina, Ukraine, Pakistan, Jordan and Russia,” said Chester Wisniewski of Sophos.
Should regular Android users living in the U.K. and U.S. be excessively concerned? Not quite. It is unlikely that the fake “wrapper” apps that installed this botnet initially came from the Google Play Store. In lieu, cybercriminals will use unapproved downloading sites to lure and compromise Android users.
It does highlight that mobile carriers and phones often are left open to malware, which creates an opportunity for hackers to make capable mobile bots than previous beliefs. This new evidence, if proven true, will be the first confirmed instance of an Android botnet built on any scale via compromised devices.
The dubious bot (or bots) may also be significant given that subscribers from multiple countries seem involved. Mobile bots may relatively be more difficult to detect or maybe there are only a few security researchers looking into this area. This means this network of bots could have existed for quite a while now.
“Android users should exercise caution when downloading applications for their devices and definitely avoid downloading pirated programs from unofficial sources,” said Wisniewski. “Google, Amazon and others may not be perfect at keeping malware off of their stores, but the risk increases dramatically outside of their ecosystems.”
Unlikely But Possible
Google later published a statement that refuted the botnet allegations. “The evidence does not support the Android botnet claim. Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they’re using,” reported ZDNet.
In a new blog post Thursday, Zink said that it is completely likely that Android message IDs from the spam email headers and the “Sent from Yahoo! Mail on Android” tag lines originated from Windows malware, as part of a complex shenanigan to make the spam appear to come from Android devices.
However, it’s just as likely that these messages look this way simply because they are what they are – spam from Android devices, he concluded.