Android Malware Creates Smartphone Botnet, Researchers Say

The malware, which usually downloaded via apps taken from third-party sites, sends out spam from users’ Yahoo email accounts, according to security experts.

Spammers have developed malware that is creating a botnet from Android mobile devices, the latest example of the explosive growth in attacks on Google€™s mobile operating system.

According to a Microsoft researcher, the malware is downloaded onto the smartphone via a rogue app, which then gets into users€™ Yahoo free email accounts to send out spam. Microsoft engineer Terry Zink said he found spam samples coming from compromised Yahoo email accounts, but then noted that they were being sent from Android mobile devices.

€œWe€™ve all heard the rumors, but this is the first time I have seen it€”a spammer has control of a botnet that lives on Android devices,€ Zink wrote in a blog post July 3. €œThese devices log in to the user€™s Yahoo Mail account and send spam. €¦ The messages all come from Yahoo Mail servers. They are all from compromised Yahoo accounts. They are sending all stock spam, the typical pump and dump variety that we€™ve seen for years.€

Looking at the IP addresses stamped in the headers of the emails, Zink was able to determine that the spam is being sent from a number of countries: Chile, Indonesia, Lebanon, Oman, the Philippines, Russia, Saudi Arabia, Thailand, Ukraine and Venezuela.

Zink and other security researchers believe that users of the compromised Android devices probably downloaded the malware when they downloaded an app not from the Google Play market, but from some other place on the Internet in hopes of avoiding having to pay. The countries that seem to be the source of the spam prove that out, according to the Microsoft engineer.

€œI€™ve written in the past that Android has the most malware compared to other smartphone platforms, but your odds of downloading and installing a malicious Android app is pretty low if you get it from the Android Marketplace,€ Zink wrote. €œBut if you get it from some guy in a back alley on the Internet, the odds go way up. I€™ve also written that users in the developed world usually have better security practices and fewer malware infections than users in the developing world. Where are almost all of those countries in the list above? Mostly in the developing world.

€œI am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for. Either that or they acquired a rogue Yahoo Mail app.€

Chester Wisniewski, a senior security advisor at Sophos Lab, agreed.

€œIt is likely that Android users are downloading Trojanized pirated copies of paid Android applications,€ Wisniewski said in a July 5 blog post. €œAndroid users should exercise caution when downloading applications for their devices and definitely avoid downloading pirated programs from unofficial sources. Google, Amazon and others may not be perfect at keeping malware off of their stores, but the risk increases dramatically outside of their ecosystems.€

Google has worked to reduce the amount of malware, including developing its Bouncer program, which automatically scans for malware on apps in the Google Play marketplace.

However, given the open nature of Android and the large number of devices running the operating system, security experts are seeing a dramatic rise in the amount of malware that is being written for Android. In February, Juniper Networks officials reported that mobile malware more than doubled in 2011, growing by 155 percent across all platforms, which included Apple's iOS, Research In Motion's BlackBerry and Symbian.

However, malware targeting Android grew by 3,325 percent in the last seven months of 2011, and Android malware accounted for about 46.7 percent of unique malware samples that targeted mobile platforms, Juniper Networks found.

"Hackers are incented to target Android, because there are simply more Android devices as compared to the competition," Daniel Hoffman, chief mobile security evangelist at Juniper, told eWEEK at the time.

That trend continued into 2012, according to security software firm McAfee, which is owned by Intel. In the first three months of the year, almost 7,000 Android threats were found, an increase of more than 1,200 percent from the same period in 2011, according to the McAfee report released in May. Most of these threats come from third-party app stores as opposed to Google Play, McAfee officials said.