Google Dismisses Android Botnet Reports

Google has claimed reports of a botnet controlling Android phones to send out reams of spam are not accurate.

Earlier this week, Microsoft engineer Terry Zink thought he had identified the first real evidence of an Android spamming botnet, having come across spam messages claiming to come from Yahoo accounts on Google’s operating system.

But Google said the evidence did not support the Android botnet claim. “Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they’re using,” a spokesperson said.

Google in denial?

Yet security firm Sophos disputed Google’s response saying it had seen no evidence the messages were forged. In a post today, Sophos’ senior security adviser Chester Wisniewski said that whilst it did not have a malware sample to back up reports of the Android botnet, Sophos had evidence that “strongly suggests this is happening”.

“The messages are delivered to our spam traps from genuine Yahoo! servers with valid DKIM signatures,” Wisniewski said in a blog post. “The Yahoo headers note the origin of the messages as ‘Web API’ which could indicate either the normal Yahoo webmail interface or, as we believe, the Android API interface referenced in the mail headers.

“The Message-IDs are all valid for the Yahoo! mailers sending them as well. It would not be possible to spoof this information externally.

“While it is true in traditional email transactions that headers can be forged, I am not aware of any method to do this using Yahoo!’s API or web interfaces.

“So one of two things is happening here. We either have a new PC botnet that is exploiting Yahoo!’s Android APIs or we have mobile phones with some sort of malware that uses the Yahoo! APIs for sending spam messages.”

Zink issued an update yesterday, admitting it was “entirely possible” that the messages contained forged signatures, but he still believed the botnet was controlling Android devices.

But another security firm, Lookout, believes it was more likely there is an issue with the Yahoo Mail app for Android. It claimed to have found issues in the application, but could not provide more detail on the “vulnerabilities” due to responsible disclosure reasons.

“We’ve reached out to Yahoo with this information and they have acknowledged that their mobile team is actively working on these issues,” said CTO and co-founder of Lookout Kevin Mahaffey.

“Regardless of how this spam campaign works, it was clear from initial reports that the Yahoo Mail Android app may play a key role. After taking a detailed look at the app, we’ve found a number of issues that have potentially broader implications for all Android users of Yahoo Mail.”

Android has been beset with malware issues this year, as it was in 2011. Earlier this week, a researcher showed how a malicious hacker could create a rootkit for the Google OS that could hide applications and replace them with fake ones to steal user data.

Yesterday, Kaspersky said it had found a rogue application on the Google Play store. There was also an iOS version of the app, which the Russian security giant claimed was the first malware to hit the Apple App Store.

Are you a security boff? Try our quiz!