back to article Google denies Redmond report of a spamming Android botnet

Google is disputing claims from a Microsoft researcher that a functioning botnet is operating on Android phones and spamming out Viagra and penny stock adverts to unsuspecting punters. Terry Zink, program manager for Microsoft Forefront online security, took time during the annual July 4 "We're kicking out the Brits and will …

COMMENTS

This topic is closed for new posts.
  1. Andrew Jones 2
    FAIL

    So.....

    Microsoft is upset that it's mobile operating system isn't performing as well as it would like and has decided to slur Android? Seriously - Microsoft "security" is only technical enough to examine the headers of spam to find it's origin? Like spammers actually advertise the email system they use....... "HEY WORLD, I'M SPAM THAT WAS SENT FROM AN ANDROID PHONE - COME AND NEUTRALISE ME NOW YOU KNOW WHAT DEVICE I LIVE ON"

    *sigh* sometimes I wonder just what qualifications people need these days to be "technically qualified"

    1. Anonymous Coward
      Anonymous Coward

      To be fair the "Sent from Yahoo! mail on Android" line is automatically added by the phone, so the spammers wouldn't be in control of that.

      I think it's too early to say either way. Yes Microsoft is jumping the gun a bit, but Google are also being too full of themselves by not even admitting the possibility.

      1. Anonymous Coward
        Anonymous Coward

        I once sent an E-mail to our CIO from Bill.Gates@Microsoft.com just to show how easy it is to spoof an address and to explain how SMTP headers allowed one to trace upstream. This was right after the first semi-complex address spoofing massmailer viruses came out in the early 2000s. He wanted us to somehow stop infected systems on the internet from spoofing our users' addresses.

        <joke>Sent from my Microsoft Surface</joke>

        1. Anonymous Coward
          Anonymous Coward

          Well you can avoid a lot of the spoofing by using SPF and locking up your mail server really well. Maybe it wasn't as widely available when you were at the company.

          As for the matter at hand I find it very suspicious that a spammer would go to all the trouble of precisely cloning the structure of a Yahoo Android email, down to the messages IDs. It doesn't make a lot of sense.

          The guy who found this may be on to something.

          1. Nick Stallman
            FAIL

            SPF is relatively new. Didn't exist 10 years ago.

            The fact that every email has the same message id means its most likely someone who packet sniffed a android mobile sending a email from the app, and is duplicating the transmission with spam for the body.

            Easy way to send email via Yahoo.

            Message ids are unique for every email that is sent legitimately hence why its fairly obvious.

          2. Vic

            > you can avoid a lot of the spoofing by using SPF

            Sadly, there seems to be some sort of misinformation about SPF doing the rounds.

            I've seen a lot of spam over the last few weeks sent from forged addresses. Looking up the SPF records for the domains in question, they all end in "+all". :-(

            Vic.

        2. Ilgaz

          Gee

          Do you think a researcher @Ms doesn't know how to read& verify headers? Even a non technical user can use a tool like SpamCop.net to see what actually sent it.

          1. vgrig_us

            Re: Gee

            "Do you think a researcher @Ms doesn't know how to read& verify headers?"

            Well - i won't be surprised. Office 365 (that Forefront is part of) support didn't know you can have 2 MX servers with same priority for domain ("It creates a bottleneck!").

    2. Anonymous Coward
      Anonymous Coward

      The spam uses a *fixed* message ID...

      And anyone is seriously paying attention to this guy's claim that the message ID is real?

      Good grief -- no wonder he's a manager, rather than someone who has a professional clue about email security. The folks over at SANS are undoubtedly laughing their collective arses off over the half-witted discussion about this.

      Sure, Android -- and WP7, for that matter -- botnets are undoubtedly feasible. But it isn't going to be this PHB who uncovers one.

      1. Dr. Vesselin Bontchev
        Boffin

        Re: The spam uses a *fixed* message ID...

        What makes you think that the message ID is always one and the same? The wording of an ElReg article? Since when do you get reliable information from there? Go read the original articles.

        At this point it is impossible to tell who is right. It is certainly possible that the messages are sent from a mobile botnet - but there is not enough evidence to prove it. It is also possible that the messages are sent from PCs and are faked to look as if sent from mobile devices. Finally (and my bet is on that) it is possible that vulnerabilities exist in some mobile app for accessing Yahoo! Mail and the spammers have used this vulnerability to create a bunch of accounts and are sending the spam from there.

    3. LarsG
      Facepalm

      They will of course follow the example of Apple, Microsoft ,Facebook and previous Google exclamations,

      'we had no idea, it must be a bug!'

      Until such time as they are found out.

  2. GrantB
    Devil

    "Sent from Yahoo! Mail on Android"

    Er, I can add "Sent from " to any email I want as well. Or 'Sent From my iPhone' etc. Spoofing the message ID is a little harder, but still easier than writing a malware infected mail client and getting it onto a bot-net worth of hand-held's.

    I would presume spammers are smart enough to know that having little things like that mobile client ID might be enough to reduce some algorithm's probability of marking the item as spam. My guess is that Baysian filters would learn that 99.9% of say Hotmail email is spam, where as little to no spam comes from mobile email clients in which the customer in theory pays.

    My (evil) thought would be that all a spammer has to do, would be to offer cheap/free low end Android phones in, loaded with an app or infected version of Android. Would a student in a Nigeria turn down a free Android phone setup for pre-pay? All the device needs to do is be programmed to look at a bot-net controller for client adverts to be sent out, then whenever the device is on Wifi, sends the emails out at a moderate(ish) rate. Potentially then spam could originate from hundreds or thousands of Wifi points.. along with the Wifi password if the user has entered it....

    1. Anonymous Coward
      Anonymous Coward

      Re: "Sent from Yahoo! Mail on Android"

      > Spoofing the message ID is a little harder,

      It is trivial.

      1341147286.19774.androidMobile@web140302.mail.bf1.yahoo.com

      <seconds since 1970>.<usec>.androidMobile@<username>.<yahoomailserver>

      > .. offer cheap/free low end Android phones in, loaded with an app or infected version of Android ... for client adverts to be sent out ...

      Profitable spam mail depends upon a couple of people out of many thousands responding. The cost of each phone would mean each phone would have to send millions of spam emails to get enough responses just to cover the cost of the phone.

  3. Andrew Jones 2
    Happy

    and as I suggested Microsoft are jumping to conclusions....

    they are now backtracking.....

  4. Anonymous Coward
    Anonymous Coward

    Hmmm

    Google also once disputed that there was nothing wrong with their sales model. And then all of a sudden developers started to surface up to a point where Google locked /and/ removed said threads.

    Pardon me for not believing Google on their word with this.

    1. Mikel
      FAIL

      Re: Hmmm

      You mean you've been trolling Android developer threads too?

  5. tath
    Coffee/keyboard

    You've got to laugh

    Microsoft researchers say an OS may be insecure and leave you vulnerable to botnet shenanigans.

    My irony meter just exploded.

  6. Anonymous Coward
    Anonymous Coward

    It would be bizzare...

    ... if in amongst all the free apps in the Android Market, at least one of the ones that requires full network access for unobvious and unspecified reasons, WASN'T some sort of trojan.

    Regardless of the specifics of this particular report (the only correct position to take for now is wait-and-see), it's just dumb to think that there are not a ton of compromised android handsets belonging to the kind of person who doesn't carefully think about the permissions requested by each and every closed-source market 'Play' app they've installed. i.e. average persons.

    Google's defensiveness is stupid, and is gonna come back and bite them, even if they ARE right in this particular instance.

    1. Mikel
      Facepalm

      Re: It would be bizzare...

      The point of the above message is to sow "fear, uncertainty and doubt" - FUD. It's emotional manipulation, not reasoned argument. This is being professionally done for profit reasons. When you see things like this, you need to think "who benefits" and "what do they want?" Such offensive behavior should not be rewarded.

      1. Ru
        Trollface

        Re: "This is being professionally done for profit reasons"

        The net is full of trolls and fanboys and plain old stupid folk who honestly believe the tripe they say.

        Lets not assume that paid shills (which implies a certain level of organisation) are necessarily more likely to say this sort of stuff than some asshat with a net connection.

        1. Anonymous Coward
          Anonymous Coward

          Re: "This is being professionally done for profit reasons"

          Lol, I am neither a troll, an asshat, nor a paid shill - I am amused by the first, highly emotional response, accusing me of trying to use emotion rather than reason...

          The logic of my initial post is pretty basic - all you have to do is ponder whether it would be a sensible thing to try for someone invested in distributing malware, given that there are people invested in such.

          Infact, that first reply is glaring in being possibly itself exactly what it accuses me of being. Hmmm?

          Anyway, lol, no, and go f*#& yourself :)

      2. This post has been deleted by its author

      3. Jaymax

        The point of the above message is to sow "fear, uncertainty and doubt"

        From downthread, Kaspersky Labs via @twolegs

        http://www.securelist.com/en/blog/208193641/Find_and_Call_Leak_and_Spam

        our analysis of the iOS and Android versions of the application showed [it is a] Trojan that uploads a user’s phonebook to remote server. ... The application is called ‘Find and Call’ and can be found in both the iOS Apple App Store and Android’s Google Play.

        Seems OP had it exactly right?

    2. Dave Bell

      Re: It would be bizzare...

      I have to agree with that. And since there are Android tablets around which cannot use the Google store. Google cannot guarantee anything about Android apps.

      Yes, you can "root" the tablet, but can you be sure of the security consequences? Is using Google Play for any Android apps any guarantee anyway? I don't know, but I wouldn't say that out-of-the-box Google Play access was a useless filter for choosing your Tablet. The Kindle app and the iPlayer app are worth having, and I have not seen them anywhere else.

      I am sceptical about the malware claim, but the occasional false alarm does set people thinking.

      1. Mikel
        Unhappy

        Re: It would be bizzare...

        Please amend "above" to "immediately above and below." I could not have foreseen this.

  7. Khaptain Silver badge

    Is this a Virus or a App with Malware

    No one has mentioned whether or not we are taliking about a standalone virus or is it is malware hidden within a program( sorry App).

    There is a very big difference between the two.. You can simply just remove an App, Virii are usually not quite that easy..

  8. Ginger

    Saw this and checked my spam folder to be greeted by...

    http://imgur.com/Zvtx1

    Well, that's me sold. And it's not as though malware on android is not known or anything is it?

  9. Anonymous Coward
    Trollface

    I know the man who wrote the botnet....

    He said he'd originally designed it for Windows Phone 7.5 but he couldn't find any other bugger using one, so it wasn't very effective

  10. Mike Judge

    Not that it stopped the BBC

    posting this as fact...

    Useless iPhone loving wankers...

    http://www.bbc.co.uk/news/technology-18720565

    This is nothing more than a desperate FUD stunt by Microsoft, whose own mobile OS has flopped dramatically.

    1. Stuart Castle Silver badge

      Re: Not that it stopped the BBC

      If you'd read past the headline ,you'd have found that the first paragraph says "Smartphones running Google's Android software have been hijacked by an illegal botnet, according to a Microsoft researcher."

      So, the article is saying that a Microsoft researcher has said there is an Android botnet. That much is actually true. A Microsoft researcher HAS stated there is Android based botnet.

      I would personally be surprised if there wasn't. Think about it. While Google seems to do a good job of deleting malware from the official Google Play market, a lot of Android handsets don't have access to that store, and where they do have an app store, the people running it may not be as careful to check for malware as Google or Apple.

      Look at the advantages. Most phones are connected to the network for most of the day. Also, Anti Malware software is relatively rare (compared to PCs, where most people seem to have some sort of anti malware system). Even where people have such software, a lot of apps on mobiles require some sort of network access, so people won't question when an app asks for network access.

      I am not saying that Android botnets exist. I don't know if they do. I am saying they are likely to appear, if they haven't already. I am also saying that these botnets probably won't be limited to one Mobile OS. Even with Apple's checking, we've had the odd malware appear on the iOS App Store, and there are probably vulnerabilities within the OS that enable installation of malware.

  11. twolegs
    Meh

    Kaspersky say on BOTH Google PLAY and Apple store

    Looks like both are to blame. Found in Russia.

    http://www.securelist.com/en/blog/208193641/Find_and_Call_Leak_and_Spam

    1. Anonymous Coward
      WTF?

      Re: Kaspersky say on BOTH Google PLAY and Apple store

      And that has nothing to do with this report... it's not even email.

      But what Kapersky says about that one is very entertaining: "There is one more curious detail about Fidall. You can find in the code such magic hexadecimal values as '0xBEEFDEAD' or '0xFACEDEAD' (see screenshot below).e been noticed in different malicious applications."

      I use DEADBEEF all the time for "magic" values as do many other packages and even computer systems (Amiga comes to mind). FEE1DEAD is also used in the linux kernel! Nothing malicious about it.

      It's a laughable attempt by Kaspersky at making it seem worse than it is.

  12. Anonymous Coward
    Anonymous Coward

    More news from Sophos

    http://nakedsecurity.sophos.com/2012/07/06/android-spam-bots-what-we-know-for-sure/

    "While it is true in traditional email transactions that headers can be forged, I am not aware of any method to do this using Yahoo!'s API or web interfaces."

    "One of the interesting data points supporting the argument that this is new Android malware is the unusually large number of the originating IPs on cellular networks."

    Cellular networks? That thickens the plot a little bit.

    1. g e

      Re: More news from Sophos

      Yeah I was thinking Mobile Operator IP's should be a good indicator but... 90% of the time my droidphone is on a wifi connection of some sort and I'm sure I'm far from being the only one, so is it really a reliable indicator or a red herring / FUD / smokescreen.

      There may well be a botnet that can use droidphones of course but that it originated from Microsoft is a key dodgy factor, the BBC spouting tech drivel verbatim is no help and, sadly, par for the course for them.

      I'm sure google will have requested these alleged emails from the MS PR department for analysis by now so we'll have to wait and see I spose.

  13. g e
    Facepalm

    Quality technical prowess from MonkeySoft again

    FROM: Kinky Steve <sballmer@micorosoft.com>

    TO: sales@recipient.com

    X-FAKEHEADER: Originated by spambot on Microsoft Exchange j00 iz pwned

    Please buy some cock pills from me.

    a href="http://steveballmerscockpills.vnj.ru/49tyaihg8we98yu4" You can trust Microsoft /a

    Sent from my Windows Mobile

    Yeab BUT it says sent from my Windows Mobile at the bottom. Only Microsoft phones can do that.

    1. Anonymous Coward
      Anonymous Coward

      Re: Quality technical prowess from MonkeySoft again

      The originating IP address is wrong. It seems to be coming from GoogleCanDoNoWrong.com

      1. g e

        Re: Quality technical prowess from MonkeySoft again

        LOL

        AC - Apple Cultist

        1. Anonymous Coward
          Anonymous Coward

          Re: Quality technical prowess from MonkeySoft again

          You've got me. If I'm not a Google Errection I can only be an Apple Cultist.

  14. Doogie1
    Meh

    It could be the Android Yahoo Mail application

    If the Android Yahoo Mail application is exposing an Intent it could be a piece of malware exploting it, similar to what this previous article describes

    http://www.theregister.co.uk/2011/11/30/google_android_security_bug/

  15. Dave Bell
    Flame

    Could we call this a "Microsoft Fire Drill"?

    1. Anonymous Coward
      Anonymous Coward

      Dave,

      How very Bavarian of you. Now hold hands, lay on the ground and remain calm.

      Anonymous because Osiris Is A Black God

  16. Anonymous Coward
    Anonymous Coward

    Google is copying Apple here

    By sticking their head in the sand and denying this before they've even had the time to look into it. Whether or not there is an Android botnet in this particular instance, there is certainly no reason such a thing isn't possible via either a malicious app or good free app where the author decides after several updates that get it onto a million phones that he wants to make a bit of extra cash.

    People rightly complain about Apple's "ignore it and it will go away" attitude towards security threats on OS X, which the flashback trojan recently proved to be stupid. Funneling everything through the app store and requiring review may make iOS somewhat more secure from app threats than Android, but it's not foolproof. OS X and Android be based on Unix gives them better security, but certainly not perfect security.

    The default response to any accusations of malware on smartphone OSes should be "we will work with the reporter of this issue to determine if its a real threat and make a public statement when we know, with a follow up plan of action if it is found to be true." Sadly Microsoft may be ahead of both Android and iOS in this regard since they'd already had their wakeup call on PC security a decade ago.

  17. Anonymous Coward
    Anonymous Coward

    The usual boring FUD

    Microsoft did this (a bucket load of FUD) with Linux and now Android.

    Just checked my spam folder and reviewed the headers of one such email and the IP was in a range as stated for "Individual PPPoE customers" owned by a Russian ISP offering a wide range of data services (including a DSL service). So, not a mobile IP, but still one that can be used by smartphones (wifi).

    I sent two emails from Yahoo (one from my Android and another from Yahoo! Webmail) and compared the raw emails (including headers) to the spam mail (I got curious when I found one of these mails in my spam folder). The emails are made to look like they are sent by Yahoo Mail's Android app (probably using whatever API the official app does), but they in fact aren't. There's a flaw by the programmer (one I won't mention as otherwise they will correct it). The spam could have been sent from any OS - Windows, Linux, OS X, iOS, etc. Who knows. M$'s "researchers" should take more care when comparing the raw emails.

  18. Tom Maddox Silver badge
    Trollface

    "spell color any way we please"

    Correctly?

  19. imaginarynumber

    AppleSoft

    I'd rather no see MS engaging in these kind of rumours, leave that to the likes of Apple

This topic is closed for new posts.

Other stories you might like