ID: IRCNE2012071547
Date: 2012-07-10
According to “TechWorld” ,accusations that an Android-based botnet is spewing spam may, in fact, be no such thing, but instead a sign that criminals are exploiting bugs in the Yahoo Mail app for Google's mobile operating system, a security firm said today.
"There's no smoking gun, but my guess is that it's not malware," said Kevin Mahaffrey, co-founder and CTO of San Francisco-based Lookout Security, essentially dismissing the botnet possibility. "It's more likely an issue with the Yahoo Mail app."
Lookout has discovered what Mahaffrey called "potential security issues" in Yahoo's Android app, and reported its findings to the California search company's security team.
News first circulated Tuesday about a possible Android-based botnet - if accurate, a first - when Terry Zink, a program manager for Microsoft's enterprise-grade Forefront security product team, reported that spam messages were originating from Yahoo's servers and being sent from Android devices.
Other security researchers, including those at UK-based Sophos, reached the same conclusion after analysing some of the spam messages.
Google has denied that the spam is being sent by an Android botnet. "Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using," Google told the IDG News Service yesterday.
Several security experts took Google's side, theorising that the spam actually originated from a run-of-the-mill botnet composed of compromised Windows PCs, and as Google said, had been disguised as mobile mail to avoid detection.
Mahaffrey and Lookout, however, offered a third explanation, that Yahoo Mail on Android contained vulnerabilities that spammers were exploiting.
The current version of Yahoo Mail for Android is 1.4.4, which was last updated 23 June, according to Google Play, the official Android app e-market.
Yahoo did not reply to a request for confirmation of Mahaffrey's assertion that Yahoo Mail contained flaws that could have been used to spew spam from smartphones equipped with the app.
Related Links:
Microsoft engineer discovers Android spam botnet
- 2