There was a lot of reaction to the post I made yesterday about spam that appeared to originate from a mobile botnet of Android devices. I realize I didn’t make it clear that we do not have a malware sample that does this, simply evidence that strongly suggests it is happening.
Many, including Google, have suggested the messages are forged. We see no evidence of this. The messages are delivered to our spam traps from genuine Yahoo! servers with valid DKIM signatures.
The Yahoo! headers note the origin of the messages as “Web API” which could indicate either the normal Yahoo! webmail interface or, as we believe, the Android API interface referenced in the mail headers.
The Message-IDs are all valid for the Yahoo! mailers sending them as well. It would not be possible to spoof this information externally.
While it is true in traditional email transactions that headers can be forged, I am not aware of any method to do this using Yahoo!’s API or web interfaces.
So one of two things is happening here. We either have a new PC botnet that is exploiting Yahoo!’s Android APIs or we have mobile phones with some sort of malware that uses the Yahoo! APIs for sending spam messages.
One of the interesting data points supporting the argument that this is new Android malware is the unusually large number of the originating IPs on cellular networks.
More interesting was to compare the geographic distribution to traditional botnets that use Yahoo! webmail via the regular interface.
Of the “Android variant” of this spam 43% originated from Russia and Ukraine, and 25% from 4 Latin American countries.
The traditional Yahoo! spam? <1% from Russia and Ukraine, 48% from 5 Asian countries and 32% from 4 Latin American countries.
If this was a traditional spam bot operator you wouldn't expect to see such a dramatic skew from the normal distribution.
One strike against the theory is that the accounts used to send the spam appear to be randomly generated, not like the messages are being sent using victim Yahoo! accounts.
The other strike is the total absence of malware using the Yahoo! Android API for either platform. Until we find a sample targeting Windows, Mac or mobile phones, it will remain a mystery.
I’m sure the mystery will be solved, but we don’t know the answer right now.
I agree with Terry Zink at Microsoft that the evidence suggests it is Android malware and there isn’t a good reason to think that pretending it is from Yahoo! via Android devices is of any benefit to the spammers.
Envelope image courtesy of Shutterstock.