Sophos Cloud Optix
There was a lot of reaction to the post I made yesterday about spam that appeared to originate from a mobile botnet of Android devices. I realize I didn’t make it clear that we do not have a malware sample that does this, simply evidence that strongly suggests it is happening.
Many, including Google, have suggested the messages are forged. We see no evidence of this. The messages are delivered to our spam traps from genuine Yahoo! servers with valid DKIM signatures.
The Yahoo! headers note the origin of the messages as “Web API” which could indicate either the normal Yahoo! webmail interface or, as we believe, the Android API interface referenced in the mail headers.
The Message-IDs are all valid for the Yahoo! mailers sending them as well. It would not be possible to spoof this information externally.
While it is true in traditional email transactions that headers can be forged, I am not aware of any method to do this using Yahoo!’s API or web interfaces.
So one of two things is happening here. We either have a new PC botnet that is exploiting Yahoo!’s Android APIs or we have mobile phones with some sort of malware that uses the Yahoo! APIs for sending spam messages.
One of the interesting data points supporting the argument that this is new Android malware is the unusually large number of the originating IPs on cellular networks.
More interesting was to compare the geographic distribution to traditional botnets that use Yahoo! webmail via the regular interface.
Of the “Android variant” of this spam 43% originated from Russia and Ukraine, and 25% from 4 Latin American countries.
The traditional Yahoo! spam? <1% from Russia and Ukraine, 48% from 5 Asian countries and 32% from 4 Latin American countries.
If this was a traditional spam bot operator you wouldn't expect to see such a dramatic skew from the normal distribution.
One strike against the theory is that the accounts used to send the spam appear to be randomly generated, not like the messages are being sent using victim Yahoo! accounts.
The other strike is the total absence of malware using the Yahoo! Android API for either platform. Until we find a sample targeting Windows, Mac or mobile phones, it will remain a mystery.
I’m sure the mystery will be solved, but we don’t know the answer right now.
I agree with Terry Zink at Microsoft that the evidence suggests it is Android malware and there isn’t a good reason to think that pretending it is from Yahoo! via Android devices is of any benefit to the spammers.
Envelope image courtesy of Shutterstock.
Having said that, Yahoo tends to get picked on for distributing SPAM whether its down to users with insecure passwords or a security flaw on Yahoos end. I would have thought Yahoo should be looking into tackling mis-use of its systems.
yahoo hasn't looked at tackling their spam for *years*.
I am extremely afraid to use my Yahoo email account. I don't know how to use my Google account, w/ all of the updates to Google coming out almost daily, I need to go back to school just to understand the update. Apple is still in denial, about having or even getting malware. I use have Sophos on my Mac, but when the anti virus would detect a trojan it was simple to erase, the problem was when a virus or malware was detected the instructions to remove it was vague & very complicated, I would call Apple for assistance to remove it, & their response was Sophos was using this as a marketing tool to get me to purchase their software, I explained it was free. Then they took me thru this complicated journey to determine where the malware was installed & it was determined that it came thru via my Yahoo email. The end results my Apple ID was compromised 2 iPads were ordered, I ended up deleting my system per Apple. Now I am restoring it. Please Sophos come up w/ a more simplified method to eradicate viruses once they have been detected!
Hi Z
I'm afraid we can't provide support via Naked Security, but next time you may wish to take advantage of our support community at http://openforum.sophos.com/macav
I concur with your findings. A few that have hit some of my yahoo and gmail accounts have passed through the yahoo email system without error.
Nick Braak
Highwick Associates
New York City
Here are two samples:
===========================================================
41.207.203.50 is an ADSL connection in the Ivory Coast
Received: from [41.207.203.50] by web124702.mail.ne1.yahoo.com via HTTP; Fri, 06 Jul 2012 08:08:56 PDT
X-Mailer: YahooMailWebService/0.8.120.356233
Message-ID: <1341587336.28815.androidMobile@web124702.mail.ne1.yahoo.com>
Date: Fri, 6 Jul 2012 08:08:56 -0700 (PDT)
============================================================
94.51.22.80 is in a small Russian city, Kopeysk
Received: from [94.51.22.80] by web140203.mail.bf1.yahoo.com via HTTP; Fri, 06 Jul 2012 08:33:07 PDT
X-Mailer: YahooMailWebService/0.8.120.356233
Message-ID: <1341588787.53886.androidMobile@web140203.mail.bf1.yahoo.com>
Date: Fri, 6 Jul 2012 08:33:07 -0700 (PDT)
=============================================================
A test of a legitimate message sent from an Android device using the current yahoo app:
Received: from [xx.xx.xx.xx] by web122405.mail.ne1.yahoo.com via HTTP; Fri, 06 Jul 2012 09:35:54 PDT
X-Mailer: YahooMailWebService/0.8.120.356233
Message-ID: <1341592554.72749.androidMobile@web122405.mail.ne1.yahoo.com>
Date: Fri, 6 Jul 2012 09:35:54 -0700
Good post, Chester. I agree with you.
Not sure if you will find this relevant, but I get text spam, which seems like it's what is infecting phones. I know this is how I would go about it. Might be something to look into. They all originate from AT&T prepaid phones and AT&T have already informed me that these numbers are sending thousands of texts a min and 1 IMEI is linked to multiple phone numbers, yet they will not block these numbers, and allow it to continue spamming text to phones.
Latest number
7066629073
"Your entry in our drawing WON you a free target Giftcard! Enter "330" at target.com.tcdt.bix to claim it and we can ship it to you immediately!"
I get lots of these, and would not surprise me since they come through text messages, that these websites are infecting the phones of people who click the link. As for the spam email from android mobile, Yea I get those to. If I can find the other text, I know it is linked to a virus for android phones. I pulled the battery out, and started using a flip phone, so I know they can't affect me besides spamming me with text messages.