Zombie Android Phones Pumping Out Spam, Researchers Say
|Image manipulation by SecurityNewsDaily|
Android smartphones are powerful little machines.
They can crunch numbers, render complex websites, play high-definition video, run thousands of applications and connect to far-flung networks. Many models have the processor speeds and storage capacities of low-end laptops.
And now there's one more thing Android phones can apparently do: Like PCs, they can join botnets to pump out spam emails.
Researchers at Microsoft and at England's Sophos Labs have independently found evidence that an Android-based botnet, or network of "zombie" machines secretly controlled by criminals without the phone owners' knowledge, is sending out rogue pharmaceutical spam, promising Viagra and the like.
"We've all heard the rumors, but this is the first time I have seen it," wrote Microsoft researcher Terry Zink in a blog posting. "A spammer has control of a botnet that lives on Android devices."
You get what you don't pay for
The proof isn't definite, but all the spam emails bear signatures of Android-based devices, along with Internet Protocol addresses of mobile-network providers in Eastern Europe, the Middle East, Southeast Asia and South America.
The emails also all seem to have been sent from Yahoo Mail's Android app, using either hijacked or manufactured Yahoo accounts.
"I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version, and they got more than they bargained for," wrote Zink. "Either that or they acquired a rogue Yahoo Mail app."
To both Zink and Sophos' Chet Wisniewski, it's telling that the spam seems to originate in countries such as Russia, Chile, Thailand, Lebanon and Saudi Arabia, where average yearly incomes are a fraction of what they are in the West.
Such "middle-income" countries have plenty of educated, affluent customers, but even to those users, the price difference between a $2.99 app on Google Play and its 99-cent pirated knockoff in an "off-road" app store is a significant savings.
"Most Android malware is not downloaded from Google Play but localized 'off market' download sites," wrote Wisniewski. "Google, Amazon and others may not be perfect at keeping malware off of their stores, but the risk increases dramatically outside of their ecosystems."
Not so fast
Some security researchers were skeptical of Sophos' and Zink's claims, pointing out that just because the emails claim to come from mobile devices doesn't mean they really do.
"The evidence put forward to claim that this is an Android botnet is based on data which is easily spoofed/forged," Denis Maslennikov, a researcher with Moscow's Kaspersky Lab, told PC World.
"What we do know is that spam emails featuring these characteristics are being sent out," Roel Schouwenberg, a colleague of Maslennikov's at Kaspersky, told PC Magazine. "But it seems like currently nobody knows what malware/botnet on which OS is responsible for that."
A Google spokesman told Information Week that the Android-botnet conclusion was flat-out wrong.
"The evidence does not support the Android botnet claim," the unnamed spokesman said. "Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using."
Whether or not this truly is the first Android-based spam botnet, many security experts consider such a development inevitable. Android phones are ideal machines for botnets because unlike PCs, they're always on.
"At the moment, there are more than one billion smartphones activated in the world, and most of them are always connected to the Internet at all times, so they can pump up spam 24/7," researcher Bogdan Botezatu of BitDefender in Bucharest, Romania, told PC World.
This story was provided SecurityNewsDaily, a sister site to TechNewsDaily.