More importantly, the security researchers who initially outed the botnet are now admitting that they actually don't know for sure. Terry Zink, the Microsoft researcher who originally wrote the report, now says that he considered that the messages could have been spoofed, but decided that it simply made more sense for them to have come from Android. Chet Wisniewski, a Sophos security advisor who suggested that users should install Sophos Mobile Security to avoid being infected by an app that could send this kind of spam, told The Wall Street Journal that "we don't know for sure that it's coming from Android devices."
Yahoo told The Register that it's investigating the issue.
There's still a definite possibility that this is indeed an Android botnet of some sort, and both researchers claim the evidence points that direction, but we're far less certain than we were before, and a little less trusting, too.