Security Experts:

Android Botnet Claims Come in to Question, Debate

Yesterday, SecurityWeek reported on a blog post by Microsoft security researcher Terry Zink, who said that a spammer had control of Android devices. As it turns out, while malware on the Android platform is a reality, spammers may not have gained total control.  

“All of these message are sent from Android devices,” Zink wrote initially. He was commenting on an unusually high number of junk emails that had Yahoo Mail headers, and an Android-based signature.

“We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices. These devices login to the user's Yahoo Mail account and send spam,” he added.

Android BotnetHowever, less than twenty-four hours later, Zink changed his tune some. He acknowledged comments that said the headers could be spoofed, mirroring various other security experts that noted that it was entirely possible that an infected PC was behind the junk messages.  

On the other hand, he adds, “the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices.”

Either way, Google isn’t having it. In an interview with The Register, a Google spokesperson said that Microsoft’s evidence doesn’t support the claim. 

“Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using.”

After Google denounced Zink’s original claims, Sophos’ Chester Wisniewski still had his doubts. “So one of two things is happening here. We either have a new PC botnet that is exploiting Yahoo!'s Android APIs or we have mobile phones with some sort of malware that uses the Yahoo! APIs for sending spam messages,” Wisniewski noted in blog post.

“One of the interesting data points supporting the argument that this is new Android malware is the unusually large number of the originating IPs on cellular networks,” he added.

SecurityWeek did contact Google with questions but was responded to with a note saying the press office was closed July 4-6 for Independence Day.

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.