Microsoft Engineer Discovers Android Spam Botnet, Google Denies Claim

An anonymous reader writes "Microsoft engineer Terry Zink has discovered Android devices are being used to send spam. He has identified an international Android botnet and outlined the details on his MSDN blog. A closer look at the e-mails' header information shows all the messages come from compromised Yahoo accounts. Furthermore, they are also stamped with the 'Sent from Yahoo! Mail on Android' signature. Google has denied the allegations. 'The evidence does not support the Android botnet claim,' a Google spokesperson said in a statement. 'Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using.'"

Just link to the ACTUAL blog entry

Would it kill you to link to MSDN - where the blog entry actually resides? I get the anti-MS sentiment (although jeez, quit living in the 90s), but making readers jump to ZDNet first (or sending them back to /.) is just being passive aggressive.

Re:Just link to the ACTUAL blog entry

[John3]

Here's the original blog entry.

Re:Just link to the ACTUAL blog entry

[ozmanjusri]

Fascinating conclusion he's come to. It looks like MS engineers don't understand Joe jobs.

Re:Just link to the ACTUAL blog entry

[Taco+Cowboy]

Fascinating conclusion he's come to. It looks like MS engineers don't understand Joe jobs.

Under normal circumstances, MS does not hire idiots (with exception of Ballmer, of course)

So ... this looks more like that MS engineer trying to make a name for himself
 

Re:Just link to the ACTUAL blog entry

[Tough+Love]

I get the anti-MS sentiment (although jeez, quit living in the 90s)

Microsoft remains as evil as it ever was, two decades later. Anti-MS sentiment is not only richly deserved, but prudent.

Re:Just link to the ACTUAL blog entry

[Unoriginal_Nickname]

Microsoft is evil in the same way that suicide is a sin. We're talking about a company that's only relevant on one doomed platform, choking to death on too many brands and too many failed attempts to enter other markets. Unix is everywhere. Unix beat Microsoft a long time ago.

Stop poisoning the discourse by giving Microsoft such a disproportionate share of the hate. Adobe's just as bad, and Oracle's a lot worse. Why don't you rail against them? Why don't we talk about how, once Windows is gone, our only practical choice will be between a walled garden or an operating system that's philosophically dominated by the toxic, vapid musings of a man who literally believes that it is better to let your children starve to death than ply your trade as a software developer?

Re:Just link to the ACTUAL blog entry

[hairyfeet]

It don't smell like a Joe Job to me, its smells like another Yahoo bug. Those that read one of my previous journal entries here knows that there was a bug that would let anyone surfing with FF who had a Yahoo account send spam thanks to a hidden iFrame, and frankly looking at my spam folder there is a LOT, I mean a hell of a lot, of spam both coming from Android and from regular but with ONE thing in common...Yahoo.

I have to wonder if the spammers haven't found a way to use the same bug they used on FF on Android, because yahoo's new layout seems especially weak to this form of attack it makes more sense that they are using a browser hack than having the entire Android system compromised but who knows? There are a hell of a lot of older Android versions out there, maybe they found a weakspot in the 2.x line and are hitting it.

But in the end somebody needs to be talking to the security guys at Yahoo and find out what they are using to hit their emails, be it a browser hack or something nastier.

Re:A Microsoft engineer?

[ackthpt]

and he doesn't realise that any program on any computer on the internet could pretend to be on android? I don't know much about mail but I would guess the"'Sent from Yahoo! Mail on Android' signature" would have been set by the client

Engineer perhaps doesn't mean so much at Microsoft.

Posted from my AndBot

Spam lying!?!

[ignavus]

What ? Spam lying?!?

I am shocked. SHOCKED, I tell you!.

Why not?

[rabtech]

This seems like a much easier way to send spam... Most users will be using the stock mail app so just install, ask for the world in privileges (most users just click yes to anything), then send spam in the background using the user's account.

If you are smart, you avoid sending any spam to that user's contacts and intercept any replies that contain the spam text as a quoted string. That would make it far less likely for the victim to notice anytime soon.

Even if the spam isn't coming from Android phones right now, I'm sure someone will do it eventually.

Re:Why not?

[AmberBlackCat]

(most users just click yes to anything)

On Android, you have to. Your only options are accept everything or you don't get the app.

Re:Why not?

I've posted this before, but here we go again. There are quite a few options for fine-grained permission control on Android. My top 3:

1) Cyanogenmod includes permission management. You'll have to flash it on your device, but it's not hard. http://www.cyanogenmod.com/
2) PDroid - requires a patched kernel http://www.xda-developers.com/android/pdroid-the-better-privacy-protection/
3) LBE Privacy guard - requires root https://play.google.com/store/apps/details?id=com.lbe.security.lite

Re:Why not?

To be clear, Cyanogenmod 7 contains permission management. This feature was dropped in Cyanogenmod 9.

Re:Why not?

[CoderJoe]

Now try again, without requiring flashing a custom OS version or root. The average user is not going to do any of that.

Avoiding lawsuits

[gmuslera]

Microsoft was a monopoly in botnets, better to claim that are others somewhere else, even if they have to build it themselves.

Anyway, a botnet uses a standard mail client to send its payload? Even thinking that is a bad signal about them.

Engineer is backtracking

[John3]

There is a follow-up blog post where Zink backtracks a bit and admits the headers could be forged.

"In comments of various blogs a lot of people have suggested that these headers are spoofed, or there was a botnet connecting to Yahoo Mail from a Windows PC and sent mail that way. Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices."

Re:Engineer is backtracking

"Elaborate deception" -- If that's his idea of elaborate, I wish he worked in marketing and not software!

Re:A Microsoft engineer?

[Megor1]

He is a Program manager so, great journalism zdnet

Re:A Microsoft engineer?

[MrDoh!]

I believe him.
Sent from my Cray Supercomputer. BillGates@Microsoft.com

It Shouldn't Be Too Hard To Verify

[NotSanguine]

Or to disprove the claim if we can look at the mail headers. Especially if we have multiple samples.

The claim, on its face, is plausible. However if you're a spammer, you want to send out as many emails as quickly as you can. Sending emails via a wireless device (either WiFi or cellular) seems like wasted effort when there are so many cable/dsl/fiber connected PCs (running whatever OS, but usually Windows) out there that can send many more spam emails in the same amount of time -- Usually without alerting non-technical users who don't review their router/firewall logs often, if ever.

All that said, I suppose it's possible. It just seems a little strange that this should come out of Microsoft -- especially since there are many very technical people out there who are rolling their own Android -- you'd think they'd have found it first.

Doesn't realise? Or...

[DragonWriter]

A Microsoft engineer? and he doesn't realise that any program on any computer on the internet could pretend to be on android?

Well, either "doesn't realise" or "has a vested interest leading him to first fail to mention and, after that, downplay the possibility". Which is more likely is left as an exercise to the reader.

Re:Go Microsoft

[thatseattleguy]

And if anyone knows how to take what should be a simple, straightforward, technical discussion and turn it into a MS vs Google flame war, it will be Slashdot commenters.

Is the Message-ID incrementing?

And if so does it match the generation scheme used by Android.

If it's a repeating "Message-ID: " as the blog suggests then it's likely forged.

Is it just Yahoo?

[whoever57]

I see emails from compromised accounts. The one thing that appears to be common is that it is always from Yahoo accounts. After one of my friends had her Yahoo account compromised, I throughly scanned her PC -- nothing showed up. I scanned the hard drive while connected to a known clean PC, so it wasn't just a well hidden malware.

I am beginning to wonder if there is a vulnerability in Yahoo's security that is being used to compromise accounts.

Re:Is it just Yahoo?

[kesuki]

nothing shows up because it's not on her pc, i've had spam coming from a former online friend, and more recently spam claiming to come from my own yahoo address.it turns out if you manually set the x-apparently-from yahoo will show that as the sender. yahoo explains it better here http://answers.yahoo.com/question/index?qid=20100725063846AAoDV1T

Re:Is it just Yahoo?

[whoever57]

nothing shows up because it's not on her pc,

Her account had to be compromised somehow. The emails were sent using her credentials. Her Yahoo mailbox was modified to delete all the saved emails and contacts, change the password and forward the email elsewhere. It was not simply someone sending email that looked like it came from her account -- it really was sent using her Yahoo account.

She told me that she only checks her email from her PC, at home. She doesn't use open-Wifi points, she doesn't use other PCs. Unless there was some kind of malware the vaporized itself from her PC after stealing her account credentials, or [contrary to what she told me] she really did use another PC to check here email the limited evidence suggest that her account credentials were stolen by a security flaw at Yahoo.

Re:Is it just Yahoo?

[Billly+Gates]

The answer is a Firefox exploit with an invisible iFrame. I have seen it myself and Hairyfeet noticed the same thing if you browse some porn sites with Firefox after you log in your account will randomly start spamming people.

Basically it is an iframe rogue ad which looks identical to the yahoo email login and it uses javascript to place it over the real yahoo login from yahoo.com. Since the iframe is invisible in Firefox you have no clue and just click on it and give in the username and password.

I wonder if Mozilla fixed this?

I'm well aware of this spam

For roughly the last week I've been using the string from the summary as essentially perfect proof that a message delivery attempt to my server is spam. The fact that Yahoo delivers almost no legitimate mail eases my worries. How the messages are actually originating is irrelevant to me, but bloody Hell there are a lot of 'em.

Every three or four weeks the spammers seem to come up with a new template for the Yahoo spam they send and this is just the latest (actually, there seem to be a couple of huge spam operations running through Yahoo, not counting all the 419 scammers).

Yahoo doesn't accept abuse complaints, and 10,000 Yahoo accounts are openly advertised as costing $137. It's hard to see how this is not a very serious problem that Yahoo should feel obligated to address.

Here's roughly what a representative spam from this campaign looks like, slightly edited with mangled HTML so that Slashdot would display it:

Return-Path:
Received: from nm23-vm1.bullet.mail.bf1.yahoo.com (98.139.213.141) by
  myserver for spamvictim@mydomain>;
  Sun, 1 Jul 2012 12:55:08 -0700
Received: from [98.139.212.145] by nm23.bullet.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
Received: from [98.139.212.199] by tm2.bullet.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
Received: from [127.0.0.1] by omp1008.mail.bf1.yahoo.com with NNFMP; 01 Jul 2012 19:41:56 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 31585.24743.bm@omp1008.mail.bf1.yahoo.com
Received: (qmail 53658 invoked by uid 60001); 1 Jul 2012 19:41:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1341171715; bh=XCjzxBAl+aG8gtCEWjueAIJtqJl1qzpQf/Pvh1rDXMQ=; h=Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=nilcBrxhBDZ0vkail/UfvoWOspyAWtrnB4QklyD6KWshJdxlXlynsFBMeRaBWQICEtqEITG+SmghLsJStFOWR+eb39JXx1a5tl6LV/CQc9yIIrdmdR8qsdY3bwaqXYp+OfxsePQCZ0C+AoeJDlmIk0m51VIB1io7Kk9P7iudDok=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
    s=s1024; d=yahoo.com;
    h=Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;
    b=cHirUEK+wuN6DGQSrgiWi6qqyGJFrSO9BVJaVwv664oJ+u1RLo95cHPuIDPutn5hMoTiBFi3zmvjmprGCAVlP3EQDzWDQD6dG6tUO02acOYLJJ3WM9MKCqUKAb/nCAKaQ8xh/bzU1/zC/nQP9WZRidccQUSNChY6+bAhx3tol3E=;
Received: from [190.201.200.221] by web140206.mail.bf1.yahoo.com via HTTP; Sun, 01 Jul 2012 12:41:55 PDT
X-Mailer: YahooMailWebService/0.8.120.356233
Message-ID: ##########.##### .androidMobile@web140206.mail.bf1.yahoo.com>
Date: Sun, 1 Jul 2012 12:41:55 -0700 (PDT)
From: Desiree Chinnici DesireeChinnicifo64@yahoo.com>
Subject: FWD: 300% Gain!
To: "noncale@simon.com" noncale@simon.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--nottherealboundarymarker=:blargh--"

--nottherealboundarymarker=:blargh--
Content-Type: text/plain; charset=us-ascii

Please Enable Images to View this Important Newsletter!

img src="https://public.blu.livefilestore.com/longuniqueidentifier/13.gif?psid=1"/a>

Sent from Yahoo! Mail on Android

--nottherealboundarymarker=:blargh--
Content-Type: text/html; charset=us-ascii

table cellspacing="0" cellpadding="0" border="0">tr>td valign="top" style="font: inherit;">p>/p>
p>Please Enable Images to View this Important Newsletter!

br>
img src="https://public.blu.livefilestore.com/longuniqueidentifier/13.gif?psid=1"/a>br>br>br>/p>
p>Sent from Yahoo! Mail on Android/p> /td>/tr>
--nottherealboundarymarker=:blargh--

The sad part

[dubl-u]

The really sad part is how far Microsoft has fallen. They can't even do FUD well anymore.

Re:Redmond Help Wanted

FWIW, I see far more frivolous lawsuits from Apple these days than from Microsoft. In fact, when was the last time we talked about a Microsoft lawsuit?