Co-contributor: Paul Thomas
Over the last few days, we have seen reports of an Android botnet hijacking mail clients on Android devices and sending spam promoting stocks, finance, and pharmaceuticals. While an Android botnet is a possible culprit, other scenarios are more likely—such as spam originating from compromised computers.
To begin, here is a sample of a spam email sent on July 3:
Sample subject lines may appear as:
- Wall Street SHOCK ahead!
- Leading Edge Market Analysis
- RE RE: Controlled Prescriptions
- Special Situation Report
- Fwd: Ground Breaking News Report
Two indicators suggest these spam messages originate from a hijacked Android mail client:
- Message includes the string "androidMobile" in the Message-ID field
- Message uses the "Sent from Yahoo! Mail on Android" email signature
Note: The preceding Yahoo signature is used by default when sending any mail using the Yahoo! Mail for Android application.
So, while we have yet to confirm the true source of these messages, they do not actually appear to originate from a malicious Android application which sends mail through Yahoo email accounts on Android devices.
First, without a local exploit and specially crafted hijacking code, applications that attempt to send mail through the default Android mail application cannot do so automatically in the background. The mail client will, at most, display the message to be sent and require the user to actively send the message. Further, the mails do not appear to come from the default mail client, but rather specifically, the Yahoo! Mail for Android application.
Second, the accounts being used do not actually appear to be legitimate email accounts. Rather, the accounts appear to be specifically created to send this spam and they all share a similar pattern: Firstname Lastname, two lowercase characters, and two numeric digits. The following are example email addresses:
- Corina Ullman [[email protected]]
- Dionne Wellner [[email protected]]
- Celeste Syrus [[email protected]]
- Kristin Jamison [[email protected]]
- Pearl Runge [[email protected]]
And finally, the vast majority of originating IPs for this spam do not appear to come from a mobile network. Some of the IPs used have already been seen previously sending spam without mobile indicators, for instance. Unfortunately IPs are recycled and determining device by IP is inconclusive since it can be masked by a wireless access point (WAP).
Currently, there are a few theories as to how this spam is being generated:
- The spammers are using the same Web services used by the Yahoo! Mail for Android application. The spam in this case likely originates through compromised computers owned by the spammers, but could also originate through a malicious Android application. We have confirmed the ability to send mail through the Web services from a PC.
- A malicious application has somehow hijacked the actual Yahoo! Mail for Android application. Emails are being addressed and sent automatically in the background, without user knowledge. This scenario would require a design flaw in the application. We are examining the application, but have not found any such flaw at this time.
- The spammers are spoofing the message header fields.
The first theory is the most likely, but, whichever tactic is used, they undoubtedly have the same goal: to evade spam filters.
Symantec has seen an uptick in this type of spam since May 2012 and has rules in place to prevent it from hitting your inbox. We will monitor this situation closely for any developments and attempt to determine the true origin of this spam.