Android Malware Botnet Claims Doubted as Researchers Review Evidence

By Todd R. Weiss  |  Posted 2012-07-08

Android Malware Botnet Claims Doubted as Researchers Review Evidence

Two Internet security researchers who recently reported their findings of an Android botnet that pushes spam to users' Yahoo email accounts now say they might have jumped the gun.

In an update from The Wall Street Journal, the two researchers aren't as sure that their original claims about the alleged Android malware and botnet are correct.

"Chester Wisniewski, senior security adviser at Sophos, said he is rechecking his findings after Google and some other security researchers disputed findings of an Android 'botnet,' or a cluster of computers hijacked by hackers," The Journal reported in its Digits blog. "In an interview Thursday, Mr. Wisniewski said that the spam he identified generated by Yahoo€™s free Web-based email service was different than normal patterns of email spam but 'we don€™t know for sure that it€™s coming from Android devices.'"

The other security researcher, Microsoft engineer Terry Zink, also backtracked on his original report about the alleged Android malware, stating in a follow-up post "that he also didn€™t know for sure that Android devices had been compromised," according to The Journal. €œYes, it€™s entirely possible that bot on a compromised PC connected to Yahoo Mail' and inserted the 'Yahoo Mail for Android' tagline at the bottom of the spam messages 'to make it look like the spam was coming from Android devices,' he wrote."

Google, which owns and develops the Android mobile operating system, continues to deny the researchers' claims since the first reports were released. €œThe evidence we€™ve examined does not support the Android botnet claim," the company said in a statement through a spokesman. "Our analysis so far suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they€™re using. We€™re continuing to investigate the details.€

The original reports from the two security researchers stated that the alleged malware would get into a user's smartphone through a rogue app, which then used users€™ Yahoo free email accounts to send out spam, according to an earlier story on "Microsoft engineer Terry Zink said he found spam samples coming from compromised Yahoo email accounts, but then noted that they were being sent from Android mobile devices."

€œWe€™ve all heard the rumors, but this is the first time I have seen it€”a spammer has control of a botnet that lives on Android devices,€ Zink originally wrote in a blog post July 3. €œThese devices log in to the user€™s Yahoo Mail account and send spam. €¦ The messages all come from Yahoo Mail servers. They are all from compromised Yahoo accounts. They are sending all stock spam, the typical pump and dump variety that we€™ve seen for years.€

Now, though, there are questions about the validity of those initial claims in this case.

One of the Experts Said His Research May Still Be Correct


In a follow-up blog post, however, Zink wrote that there is still a chance that their research is correct.

€œOn the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform," he wrote. "The reason these messages appear to come from Android devices is because they did come from Android devices€ Zink theorized. €œBefore writing my previous post, I considered both options but selected the latter.€

So what should people believe? Is there a new Android malware bot or not?

It depends, say two IT analysts who talked about the situation.

"Part of the problem that we've got in this environment is that there's so much pressure among security firms and researchers to be the first to report an issue," said Rob Enderle, principal analyst with The Enderle Group. "So the claims can be made too quickly, without enough evidence. And if it is misreported, then there are a bunch of researchers with egg on their face."

These kinds of questionable reports don't happen too often, Enderle, said, but in this case, a botnet on Android would be big because there are so many Android devices in use and a security compromise would affect so many users.

Such Reports Should Be Truly Vetted, Analysts Said


Charles King, principal analyst with Pund-IT, said it's good to maintain some skepticism when initially hearing such reports until they are truly vetted.

"I think it's really important to take any of this stuff with a grain of salt, especially for anything as complex as malware and computer viruses," King said. "They aren€™t simple technologies and noticing what appears to be one kind of pattern does not necessarily lead you directly to a gold mine of information."

People should also be a bit wary of reports from competing vendors, he said. "Where something like this can be particularly irksome or bothersome is when a security expert working for one company makes claims that could be spurious accusations about products from another company."

Such claims could be self-serving and must be thoroughly checked out, he said. "It just points out the importance of stepping lightly in a situation like this."

Meanwhile, Google continues to work to reduce the amount of malware, including developing its Bouncer program, which automatically scans for malware on apps in the Google Play marketplace.

However, given the open nature of Android and the large number of devices running the operating system, security experts are seeing a dramatic rise in the amount of malware that is being written for Android. In February, Juniper Networks officials reported that mobile malware more than doubled in 2011, growing by 155 percent across all platforms, which included Apple's iOS, Research In Motion's BlackBerry and Symbian.

However, malware targeting Android grew by 3,325 percent in the last seven months of 2011, and Android malware accounted for about 46.7 percent of unique malware samples that targeted mobile platforms, Juniper Networks found.

Rocket Fuel