Google is disputing statements from researchers at Microsoft and Sophos who this week warned that Android devices were sending spam through compromised Yahoo Mail accounts. In response, both now say they are further investigating their earlier claims.
The idea of an international Android botnet leveraging the mobile operating system was first publicized earlier this week by Microsoft engineer Terry Zink in a blog post. He believed a new type of malware was accessing Yahoo Mail accounts on Android devices to send spam messages. He also determined from the originating IP addresses that the spam was coming from Asia, Eastern Europe, South America and the Middle East.
Chester Wisniewski, a Sophos Canada senior security engineer, also posted about the malware today. “The messages appear to originate from compromised Google Android smartphones or tablets. All of the samples at SophosLabs have been sent through Yahoo!’s free mail service and contain correct headers and DKIM signatures,” he wrote. He believed Android users became infected by downloading pirated copies of paid Android apps that contained the Trojan.
As media outlets and bloggers began reporting on the Android botnet, Google issued a statement saying evidence did not support the researchers’ findings. “Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they’re using,” the company said.
This led Zink to admit that the spam headers could have been spoofed so they appeared they came from Android devices instead of a more conventional source. Or not.
“Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the [sic] message-ID thus overriding Yahoo’s own Message-IDs and added the ‘Yahoo Mail for Android’ tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices,” he wrote.
“On the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices.”
Similarly, Sophos’ Wisniewski told The Wall Street Journal today he is rechecking his findings to confirm if it’s spam using a faked signature or if it is actually coming from Android devices.
Google said in its statement that it also is continuing to investigate the details.