Google Android smartphones hijacked by spam botnet

Google Android OS smartphones have been hijacked by a botnet spamming from a Yahoo server, marking an evolution in mobile malware

Smartphones running Google's Android operating system (OS) have been hijacked by a botnet, according to a Microsoft researcher.

Researcher Terry Zink said he had come across spam being sent from Yahoo e-mail servers by Android devices, marking an evolution in mobile malware.

"We’ve all heard the rumours, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices. These devices login to the user’s Yahoo e-mail account and send spam," Zink wrote in a blog post.

Historically mobile malware has made money from capturing SMS messages used for online banking authentication and sending premium-rate SMS messages to collect the subscription fees.

Last year Google introduced a new service into its Google Play app store that provides automated scanning for potentially malicious software, without requiring developers to go through an application approval process.

Google claims that between the first and second halves of 2011, there was a 40% decrease in the number of potentially malicious downloads from Google Play. But Zink believes the malware used to hijack the Android phones did not come from the official app store, as the IP addresses of the hijacked Android devices revealed they are located in Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine and Venezuela.

"I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for," said Zink.

"Either that or they acquired a rogue Yahoo Mail app."

Zink said he believes this new technique being used by spammers ups the ante for spam filters. 

"If people download malicious apps onto their phone that capture keystrokes for their e-mail software, it makes it way easier for spammers to send abusive mail," said Zink.

"This is the next evolution in the cat-and-mouse game that is e-mail security."

It is likely Android users are downloading pirate copies of Android applications containing Trojans, said Chester Wisniewski, senior security advisor at security firm Sophos.

"Android users should exercise caution when downloading applications for their devices and definitely avoid downloading pirated programs from unofficial sources," said Wisniewski.

"Google, Amazon and others may not be perfect at keeping malware off of their stores, but the risk increases dramatically outside of their ecosystems," he wrote in a blog post.

In a follow up posting, Wisniewski said that, although he had not seen a sample of the malware concerned, the evidence suggests spam is originating from a mobile botnet of Android devices.

"Many, including Google, have suggested the messages are forged. We see no evidence of this," said Wisniewski.

"The messages are delivered to our spam traps from genuine Yahoo! servers with valid DKIM signatures. The message IDs are all valid for the Yahoo! mailers sending them as well. 

"It would not be possible to spoof this information externally."

According to Wisniewski, one of two things is happening: Either a PC botnet is exploiting Yahoo's Android APIs; or mobile phones have been infected with malware that uses the Yahoo APIs for sending spam messages.

"I agree with Terry Zink at Microsoft that the evidence suggests it is Android malware," Wisniewski said.

Read more on Hackers and cybercrime prevention