Android spam bots? What we know for sure

Filed Under: Android, Botnet, Featured, Malware, Mobile, Spam

Envelope with a ? courtesy of ShutterstockThere was a lot of reaction to the post I made yesterday about spam that appeared to originate from a mobile botnet of Android devices. I realize I didn't make it clear that we do not have a malware sample that does this, simply evidence that strongly suggests it is happening.

Many, including Google, have suggested the messages are forged. We see no evidence of this. The messages are delivered to our spam traps from genuine Yahoo! servers with valid DKIM signatures.

The Yahoo! headers note the origin of the messages as "Web API" which could indicate either the normal Yahoo! webmail interface or, as we believe, the Android API interface referenced in the mail headers.

The Message-IDs are all valid for the Yahoo! mailers sending them as well. It would not be possible to spoof this information externally.

Email header from Android spam

While it is true in traditional email transactions that headers can be forged, I am not aware of any method to do this using Yahoo!'s API or web interfaces.

So one of two things is happening here. We either have a new PC botnet that is exploiting Yahoo!'s Android APIs or we have mobile phones with some sort of malware that uses the Yahoo! APIs for sending spam messages.

One of the interesting data points supporting the argument that this is new Android malware is the unusually large number of the originating IPs on cellular networks.

More interesting was to compare the geographic distribution to traditional botnets that use Yahoo! webmail via the regular interface.

Of the "Android variant" of this spam 43% originated from Russia and Ukraine, and 25% from 4 Latin American countries.

The traditional Yahoo! spam? <1% from Russia and Ukraine, 48% from 5 Asian countries and 32% from 4 Latin American countries.

If this was a traditional spam bot operator you wouldn't expect to see such a dramatic skew from the normal distribution.

One strike against the theory is that the accounts used to send the spam appear to be randomly generated, not like the messages are being sent using victim Yahoo! accounts.

The other strike is the total absence of malware using the Yahoo! Android API for either platform. Until we find a sample targeting Windows, Mac or mobile phones, it will remain a mystery.

I'm sure the mystery will be solved, but we don't know the answer right now.

I agree with Terry Zink at Microsoft that the evidence suggests it is Android malware and there isn't a good reason to think that pretending it is from Yahoo! via Android devices is of any benefit to the spammers.

Envelope image courtesy of Shutterstock.

, , ,

You might like

7 Responses to Android spam bots? What we know for sure

  1. Having said that, Yahoo tends to get picked on for distributing SPAM whether its down to users with insecure passwords or a security flaw on Yahoos end. I would have thought Yahoo should be looking into tackling mis-use of its systems.

  2. Z Sherman · 776 days ago

    I am extremely afraid to use my Yahoo email account. I don't know how to use my Google account, w/ all of the updates to Google coming out almost daily, I need to go back to school just to understand the update. Apple is still in denial, about having or even getting malware. I use have Sophos on my Mac, but when the anti virus would detect a trojan it was simple to erase, the problem was when a virus or malware was detected the instructions to remove it was vague & very complicated, I would call Apple for assistance to remove it, & their response was Sophos was using this as a marketing tool to get me to purchase their software, I explained it was free. Then they took me thru this complicated journey to determine where the malware was installed & it was determined that it came thru via my Yahoo email. The end results my Apple ID was compromised 2 iPads were ordered, I ended up deleting my system per Apple. Now I am restoring it. Please Sophos come up w/ a more simplified method to eradicate viruses once they have been detected!

  3. Nick Braak · 776 days ago

    I concur with your findings. A few that have hit some of my yahoo and gmail accounts have passed through the yahoo email system without error.

    Nick Braak
    Highwick Associates
    New York City

    Here are two samples:
    ===========================================================
    41.207.203.50 is an ADSL connection in the Ivory Coast

    Received: from [41.207.203.50] by web124702.mail.ne1.yahoo.com via HTTP; Fri, 06 Jul 2012 08:08:56 PDT
    X-Mailer: YahooMailWebService/0.8.120.356233
    Message-ID: <1341587336.28815.androidMobile@web124702.mail.ne1.yahoo.com>
    Date: Fri, 6 Jul 2012 08:08:56 -0700 (PDT)
    ============================================================
    94.51.22.80 is in a small Russian city, Kopeysk

    Received: from [94.51.22.80] by web140203.mail.bf1.yahoo.com via HTTP; Fri, 06 Jul 2012 08:33:07 PDT
    X-Mailer: YahooMailWebService/0.8.120.356233
    Message-ID: <1341588787.53886.androidMobile@web140203.mail.bf1.yahoo.com>
    Date: Fri, 6 Jul 2012 08:33:07 -0700 (PDT)
    =============================================================
    A test of a legitimate message sent from an Android device using the current yahoo app:

    Received: from [xx.xx.xx.xx] by web122405.mail.ne1.yahoo.com via HTTP; Fri, 06 Jul 2012 09:35:54 PDT
    X-Mailer: YahooMailWebService/0.8.120.356233
    Message-ID: <1341592554.72749.androidMobile@web122405.mail.ne1.yahoo.com>
    Date: Fri, 6 Jul 2012 09:35:54 -0700

  4. Terry Zink · 776 days ago

    Good post, Chester. I agree with you.

  5. sharp · 769 days ago

    Not sure if you will find this relevant, but I get text spam, which seems like it's what is infecting phones. I know this is how I would go about it. Might be something to look into. They all originate from AT&T prepaid phones and AT&T have already informed me that these numbers are sending thousands of texts a min and 1 IMEI is linked to multiple phone numbers, yet they will not block these numbers, and allow it to continue spamming text to phones.

    Latest number
    7066629073
    "Your entry in our drawing WON you a free target Giftcard! Enter "330" at target.com.tcdt.bix to claim it and we can ship it to you immediately!"

    I get lots of these, and would not surprise me since they come through text messages, that these websites are infecting the phones of people who click the link. As for the spam email from android mobile, Yea I get those to. If I can find the other text, I know it is linked to a virus for android phones. I pulled the battery out, and started using a flip phone, so I know they can't affect me besides spamming me with text messages.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.