Update (7/6): Researchers at Sophos are backtracking their previous claims, saying they're not so sure anymore about the source of the spam and if Android devices are indeed involved.
An anti-spam engineer working for Microsoft has exposed on his MSDN Cyber Security Blog an international botnet controlling Android devices that is being used to send spam on an industrial scale. Terry Zink found that all of the spam originated from Yahoo's mail servers, taking advantage of compromised Yahoo accounts.
Interestingly, during further investigations he found that the footer of every spam message contained "Sent from Yahoo! Mail on Android," and due to Yahoo's practice of stamping the IPs used when connecting to the service he was able to trace them.
"Luckily, Yahoo stamps the IP address in the headers of where the device connected to its service. I looked up where the IPs are geo-located: Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela," he wrote in his blog post.
Zink believes this latest security issue is the result of a new piece of malware that targets Yahoo Mail accounts on Android devices, which once compromised are used to send spam messages.
"I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for," wrote Zink. "Either that or they acquired a rogue Yahoo Mail app."
Reports of malware have increased for Google's Android mobile OS along with its rise in popularity. There have been several separate reports this year alone, including the first ever-reported Android browser-based malware in May known as "NotCompatible", which propagated via Android's own built in browser. Fortunately, for those infected it didn't appear to do anything malicious and still required permission to install.
While Android users are free to download apps from anywhere via a process known as sideloading, it's always best practice to download apps and other content via the Google Play (previously Android Marketplace) store rather than risk installing unverified software on your devices. This serves as another reminder of the pitfalls you can encounter by installing apps from untrusted sources.