Microsoft Security Firm Backtracks On Android Malware Claim as Google Calls them Out

[dgstorm]

Last week, Microsoft's Frontline online security company claimed that they found evidence of a botnet spammer security hole on Android devices. They pointed out that there was a spam operation using Yahoo!'s webmail service and claimed that it was coming from an Android device. The spam was using the message ID [email protected] and includes the line "Sent from Yahoo! Mail on Android." Terry Zink, program manager for Microsoft Forefront online security said, "All of these message are sent from Android devices," he said. "We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices. These devices login to the user's Yahoo Mail account and send spam."

Google called Microsoft out on this one. They said, "The evidence we’ve examined does not support the Android botnet claim. Our analysis so far suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they’re using. We’re continuing to investigate the details.”

Since then, Microsoft and other security companies that jumped on this bandwagon backtracked from their initial statements. Here's a quote with a few more details,

Chester Wisniewski, senior security adviser at Sophos, said he is rechecking his findings after Google and some other security researchers disputed findings of an Android “botnet,” or a cluster of computers hijacked by hackers.

In an interview Thursday, Mr. Wisniewski said that the spam he identified generated by Yahoo’s free Web-based email service was different than normal patterns of email spam but “we don’t know for sure that it’s coming from Android devices.”

On Thursday, Mr. Zink stated in a follow-up post that he also didn’t know for sure that Android devices had been compromised. “Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail” and insert the “Yahoo Mail for Android” tagline at the bottom of the spam messages “to make it look like the spam was coming from Android devices,” he wrote.

So, basically some security firms sponsored by Microsoft pounced on an opportunity to slam Android when they jumped to a conclusion without investigating the facts first. In fact, it was really poor logic on their part to begin with. Here's another quote from a separate security company backing up Google's assertion,

Alex Stamos, chief technology officer of Web-security firm Artemis Internet, said he’d never seen spam from a mobile app and said it “makes no sense” to do so for several reasons, including that “spammers like” to use devices that that “allow them to send messages quickly” and they like the ability to change the Internet Protocol address–the label assigned to a computer logged on to the Internet—“which is very hard [to do] on a mobile network.”

Mr. Stamos added: “If Google says that this spam was using a faked signature, then I think that’s likely.”

Hmmm... it seems like Microsoft was trying to raise a ruckus over nothing. Share your thoughts.

Thanks for the tip, furbearingmammal!

Source: TheRegister and Wall Street Journal