Isn't it possible that the spammers are using the API used by Yahoo's Android application from the usual compromised desktop machines, rather than from Android devices themselves? All of the information required to do so would be available from analysis of the Yahoo Android application.
I've asked a classmate about Android security recently and he complained about downloading a fake Yahoo mail app by accident. He only realized this after friends asked him what was up with the spam.
Just an anecdote, but I found it interesting that it was about the same freemail service as the OP. I haven't been able to Google a written report of it up though.
Well it's not new and it won't be the last. But when the spam potentualy means extra income from datausage for the mobile telco's I do wonder how helpful they will be in stamping this out.
I know email can be forged and the aspect that there is a bot running on a mobile phone telling everybody its a android is something that don't prove it came from a android phone - could be a iPhone for what we know. Without the bot/spyware/eveil program being pointed at and caught in the act with wifi sniffers then there is no evidence that is tangable. You can send emails out that look like they come from a iPhone69 in the headers, don't mean that a iPhone69 exists.
But if people install no vetted application then they will get unvetted results.
Now if only the goverments realy stamped hard on SPAM, maybe if the music industry had a vested interest then it would soon get stamped out. Its a fine revenue that goverments could tap into and the public realy wont be complaining for once. Please goverments - go get hard on SPAM and levy huge fines and make us all happier.
It depends what else the phones are being used for. If they are regularly pulling down audio data for the web, or even fat, non-mobile-ized web pages, on a regular basis, then the incremental bump from a few dozen spam emails a day might be hard to notice...
Both Message-ID spoofing/reuse and dressing up the message body to look like it was coming from a mobile device would probably rank the spam's quality lower than otherwise.
Occam's razor argues that this genuinely did come from an Android OS, and statistics argues that this is a smartphone.
It isn't certain fire, but this is definitely smoke. And it is terrible news for carriers and customers alike.
It's also not unusual in at least one of those countries (Thailand) to go to a shopping mall and give your phone to someone who'll install a gazillion apps on it for you.
"I am betting that the users of those phones downloaded some malicious Android app in order to avoid paying for a legitimate version and they got more than they bargained for."
Not using a vetted marketplace is a dangerous security gamble as the author claims the passwords were probably taken by a keylogger.
