Editor in Chief
- Jan 5, 2011
Last week, Microsoft's Frontline online security company claimed that they found evidence of a botnet spammer security hole on Android devices. They pointed out that there was a spam operation using Yahoo!'s webmail service and claimed that it was coming from an Android device. The spam was using the message ID [email protected] and includes the line "Sent from Yahoo! Mail on Android." Terry Zink, program manager for Microsoft Forefront online security said, "All of these message are sent from Android devices," he said. "Weve all heard the rumors, but this is the first time I have seen it a spammer has control of a botnet that lives on Android devices. These devices login to the user's Yahoo Mail account and send spam."
Google called Microsoft out on this one. They said, "The evidence weve examined does not support the Android botnet claim. Our analysis so far suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform theyre using. Were continuing to investigate the details.
Since then, Microsoft and other security companies that jumped on this bandwagon backtracked from their initial statements. Here's a quote with a few more details,
Chester Wisniewski, senior security adviser at Sophos, said he is rechecking his findings after Google and some other security researchers disputed findings of an Android botnet, or a cluster of computers hijacked by hackers.
In an interview Thursday, Mr. Wisniewski said that the spam he identified generated by Yahoos free Web-based email service was different than normal patterns of email spam but we dont know for sure that its coming from Android devices.
On Thursday, Mr. Zink stated in a follow-up post that he also didnt know for sure that Android devices had been compromised. Yes, its entirely possible that bot on a compromised PC connected to Yahoo Mail and insert the Yahoo Mail for Android tagline at the bottom of the spam messages to make it look like the spam was coming from Android devices, he wrote.
So, basically some security firms sponsored by Microsoft pounced on an opportunity to slam Android when they jumped to a conclusion without investigating the facts first. In fact, it was really poor logic on their part to begin with. Here's another quote from a separate security company backing up Google's assertion,
Alex Stamos, chief technology officer of Web-security firm Artemis Internet, said hed never seen spam from a mobile app and said it makes no sense to do so for several reasons, including that spammers like to use devices that that allow them to send messages quickly and they like the ability to change the Internet Protocol addressthe label assigned to a computer logged on to the Internetwhich is very hard [to do] on a mobile network.
Mr. Stamos added: If Google says that this spam was using a faked signature, then I think thats likely.
Hmmm... it seems like Microsoft was trying to raise a ruckus over nothing. Share your thoughts.
Thanks for the tip, furbearingmammal!
Source: TheRegister and Wall Street Journal