Yahoo session hijacking likely culprit of Android spam
Researchers have turned up new evidence that the spam messages originally suspected to have been sent by an Android botnet may actually have been the result of a vulnerability in the Yahoo Android mail client.
Earlier this month, Microsoft researcher Terry Zink reported finding spam samples that appeared as if they'd been sent by compromised Android devices. He said the email headers on these messages indicated they'd been sent from mobile devices. However, Google denied the possibility of an Android botnet and argued the spammers were using infected PCs to spoof messages in order to bypass email filters.
Now, the latest research from Trend Micro and Lookout Mobile Security indicates that the vulnerability actually may lie in the Yahoo Mail application for Android.
A vulnerability in this app could allow attackers to gain access to a user's Yahoo Mail cookie, Weichao Sun, a mobile threats analyst at Trend Micro, said Monday in a blog post. With that cookie, an attacker could compromise the Yahoo Mail account and send out specially crafted messages. This bug also grants the attacker access to the user's inbox and messages, Sun said.
The issue appears to be in how Yahoo's Android mail client transmits data. Researchers at Lookout Mobile Security reported the app did not encrypt its communications by default. All traffic being sent by the app were being transmitted using "HTTP" protocol rather than the secure "HTTPS" protocol, researchers said in a Lookout blog post.
"Any traffic that is sent by the Yahoo Mail Android app can easily be intercepted over an open network connection such as a public WiFi network," they wrote in the post.
An attacker could sniff for Yahoo Mail-specific traffic on open wireless networks and then intercept a cookie to impersonate that user, Lookout said. Session hijacking was a "very plausible explanation" for why the messages looked as if they had been sent from mobile devices.
Android users can enable SSL within the app's General Settings to force all communications to be encrypted, according to Lookout.
Yahoo has been informed about the vulnerability, but the company hasn't commented on the flaw or offered a timeline of possible fixes. Trend Micro, meanwhile, plans to post a technical analysis of the vulnerability.