Alleged Android botnet is nothing new

More fun that the Wimbledon finals is the tit-for-tat finger pointing going on right now between Microsoft and Google. It started when a Microsoft researcher claimed he had found spam coming from an Android botnet. This was based on the MessageID header, which was identical to that generated from the Yahoo! Android app, and the IP addresses these messages were coming from. These were from mobile carriers in countries outside North America and Western Europe, where Android malware is more common. Advantage Microsoft... Google replied that this was more likely from a Windows botnet pretending to be a Droid botnet by spoofing the protocol the Yahoo! Droid app uses to talk to the Yahoo! servers, or by forging headers. Advantage Google... Microsoft replied, yes, that might be true, but they still think the Droid botnet is more likely. Advantage Microsoft... At this point each company is challenging the other to come up with the hard evidence to back up their claims by exhibiting the malware (either Droid or Windows) that is sending the spam. For companies with the resources of Google and Microsoft, this probably won't take long. We know the IP addresses originating the spam, and it should be possible to track at least one guilty device. Reputations are at stake. Like I said, this is more fun than Wimbledon. It turns out that this Yahoo! Android mobile header is nothing new in the spam world. We've been filtering spam containing it for over five months now. We did see a significant increase in new attack volume starting on June 28th, which is why it's getting all this attention now. Here's the graph

So, is there Droid malware that has been sending out spam for five months or more without anybody noticing? Five months is a very long time in the Android world. If the spammer is clever enough to avoid detection on the Droid platform for that long, they are also clever enough to reverse engineer the communications from Yahoo! Droid app and spoof it from a PC botnet. Deuce... So, is Google or Microsoft going to be left with egg (or spam) on their face? If you force me to choose a winner, I think I'll go with Roger Federer. UPDATE 7/7/2012: My colleague Mary Landesman has pointed out that there are in fact two spam attacks going on that contain the Yahoo! Android Mobile header. One has been going on for over a year and uses hacked Yahoo! accounts, and one that has started recently in higher volume, that uses fake Yahoo! accounts created for spamming. Could it be that both Microsoft and Google are right, but are talking about different attacks? Is this match going to go to a tie breaker? Stay tuned...