The potential security consequences of allowing employees to work with the devices they choose at the office has caused administrators many a sleepless night. And the latest news about a malware strain that makes zombies of Android phones isn’t going to make their nights any less restless.
News of the suspected botnet, which may be the first of its kind, first appeared in a blog by Microsoft security ace Terry Zink. He found some suspicious emails in a number of spam samples he’d been scrutinizing. They contained the message ID:
“Message-ID: <1341147286.19774.androidMobile@web140302.mail.bf1.yahoo.com>” and the tagline “Sent from Yahoo! Mail on Android.”
Putting the two pieces of information together, Zink deduced that he’d discovered a botnet using Android smartphones as spam spewing zombies:
“We’ve all heard the rumors, but this is the first time I have seen it—a spammer has control of a botnet that lives on Android devices.”
Google, the custodian of the Android operating system, often doesn’t see eye to eye with Microsoft, and it didn’t buy Zink’s analysis here either. It issued a statement declaring:
“The evidence does not support the Android botnet claim. Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they’re using.”
That’s when Zink’s theory garnered another supporter from the security community, Sophos. It, too, analyzed some spam samples with Yahoo information in them, and it came to the same conclusion as Zink: that the email headers were genuine and that they did originate from Android phones. Sophos Security Adviser, Chet Wisniewski observed in a company blog:
“While it is true in traditional email transactions that headers can be forged, I am not aware of any method to do this using Yahoo!’s API or web interfaces.”
As further evidence that the messages originated from a smartphone botnet, Wisniewski pointed to the unusually large number of IP addresses found on cellular networks and connected to the junk email samples.
In addition, he noted, the geographic distribution of the Android spam differed from typical Yahoo spam patterns. More than two-thirds of the Android spam originated from either Russia and the Ukraine (43 percent) or four Latin American countries (25 percent). Less than one percent of Yahoo spam typically comes from Russia and the Ukraine and 32 percent from four Latin American countries. Almost half of typical Yahoo spam originates in five Asian nations (48 percent).
Yet another research team, however, discovered a vulnerability in Yahoo’s mail app for Android that could be exploited to spoof the origin of the spam studied by Microsoft and Sophos. The bug, discovered by Trend Micro, allows a snooper to hijack the session cookie created when the Yahoo Android app is communicating with Yahoo’s mail servers. Once the cookie is compromised, the cyber thief can log into a victim’s account from any PC and send spam that would look like it was sent from a smartphone.
If the Android botnet does exist—and since the malware needed to create it hasn’t been found yet, that’s a big if—it could usher in what Zink is calling:
“The next evolution in the cat-and-mouse game that is email security.”
It would also create a gigantic headache for administrators shepherding the security of organizations with Bring Your Own Device policies because a bot army on his charges’ phones could be operating under his nose.