Saturday04 February 2023

A Microsoft Engineer Claims There is an Android Botnet; The Proof Is A Little Thin

Reading time is around minutes.

News light-virus-1Hearing about a flaw in one product from a competitor in a product is sort of like asking your dog what food he likes best. You know you are not going to get a good answer and, of course, the dog is only going to stare at you and eat pretty much anything (including a bug…). So when we heard that a Microsoft Anti-Spam Engineer was reporting a new Android based email spam botnet we took it with a grain of salt (remember Microsoft has a new Phone OS coming out soon).

According to the report by Terry Zink on his blog; there are a large number of spam emails being sent from Android phones through Yahoo email servers. He first discovered this by watching spam patterns and noting a high level of spam coming from Yahoo. He then checked some of the footers and found that everyone contained the line “Sent from Yahoo! Mail on Android”. Now in addition to this Zink was able to get the Originating IP addresses and was able to narrow down the blocks are located. What we notice that he did not do is find out if they were in fact mobile device IP addresses. Zink is basing his belief that there is an Android Botnet on the footer line and this code;

Message-ID: <1341147286.19774.androidMobile @>;

I opened up a test account and checked the header and found a similar number with a different mail server though.

Message –ID: <1341513901.56153.androidMobile @>;
A second message sent produced
Message-ID: <1341513968.82218.androidMobile @>;

The mail servers will be different depending on the geographical location that the user is in just as the ID number at the front of the string is different. Now here is where things get interesting… In our case the sender IP was not the IP of our phone. Because we have an exchange mail account installed on the device the SMTP server was the address of our edge default gateway. It was not the one associated with our phone. So the IP addresses used might have nothing to do with actual devices, but could be part of a more traditional Botnet using desktop systems. Also the fact that he claims that they all contain that exact message ID would also seem to indicate that the messages are canned and coming from the same single source but sending through different devices. We have seen something like this before on Blackberries where someone thought it was coming from RIM’s network, but was actually from a spambot network that was spoofing the message format.  

Although there is the possibility that a botnet can be set up on Android devices I have feeling that further investigation will discover that this is not a ring of compromised phones sending spam, but someone using a message format and sending through compromised mail accounts on Yahoo’s servers. This is something that has also happened before. What we do see is a lot of talk about having a secure method for purchasing applications and controlling a mobile OS.

“I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for. Either that or they acquired a rogue Yahoo Mail app.
This ups the ante for spam filters. If people download malicious apps onto their phone that capture keystrokes for their email software, it makes it way easier for spammers to send abusive mail. This is the next evolution in the cat-and-mouse game that is email security.”

We actually were surprised that Zink did not go all out and talk about Microsoft’s Store and how they have secured the OS and Store from this type of malicious app, but that might have been a little too much. As we have said before, there is no such thing as a secure OS regardless of what device it is installed on and while Android devices get a bad rap for being open (yes there are more bad apps for Android than others) it is exactly as bad as some would have you think. Yahoo! Mail is a free app that can be grabbed from the Paly Store so there is no reason try and grab another one. Remember you can still get an infected iPhone if you jailbreak it and download from a bad repository. The same can be said grabbing applications from some of the developer forums for the ZuneHD and we are sure this will happen with Windows Phone 8. Right now, without more hard information (like linking the IPs to an actual phone or carrier) we have a hard time accepting this one at face value considering it is coming from a Microsoft engineer and we are a couple of months away from the launch of the Windows 8 Ecosystem.

Discuss this in our Forum

Last modified on Thursday, 05 July 2012 15:33

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.