Android may have been wrongly maligned for its role in a malware botnet, security researchers have admitted, with findings that devices running Google’s software could be responsible for spam potentially fooled by a fake email signature. Despite claims from Sophos and Microsoft earlier this week that email header information pinned down Android devices as the guilty carriers, each has since backtracked having conceded that Android’s involvement is in no way certain.
“It’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices” Microsoft engineer Terry Zink wrote in a follow-up to his earlier comments on the botnet. However, the security researcher still isn’t willing to let Android off the hook.
“On the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices” Zink theorized. “Before writing my previous post, I considered both options but selected the latter.”
As for Sophos, senior security adviser Chester Wisniewski has confirmed he is rechecking the company’s own findings to see if a fake signature could be responsible for mistaken identity. “We don’t know for sure that it’s coming from Android devices” Wisniewski said on Thursday, though went on to maintain that in his belief it is a botnet running on Android phones rather than something else.
“We either have a new PC botnet that is exploiting Yahoo!’s Android APIs or we have mobile phones with some sort of malware that uses the Yahoo! APIs for sending spam messages” the researcher wrote. “One of the interesting data points supporting the argument that this is new Android malware is the unusually large number of the originating IPs on cellular networks.”
Google, meanwhile, continues to protest Android’s innocence. “The evidence we’ve examined does not support the Android botnet claim” a company spokesperson said. “Our analysis so far suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they’re using. We’re continuing to investigate the details.”