Yahoo session hijacking likely culprit of Android spam

Share this article:

Researchers have turned up new evidence that the spam messages originally suspected to have been sent by an Android botnet may actually have been the result of a vulnerability in the Yahoo Android mail client.

Earlier this month, Microsoft researcher Terry Zink reported finding spam samples that appeared as if they'd been sent by compromised Android devices. He said the email headers on these messages indicated they'd been sent from mobile devices. However, Google denied the possibility of an Android botnet and argued the spammers were using infected PCs to spoof messages in order to bypass email filters.

Now, the latest research from Trend Micro and Lookout Mobile Security indicates that the vulnerability actually may lie in the Yahoo Mail application for Android.

A vulnerability in this app could allow attackers to gain access to a user's Yahoo Mail cookie, Weichao Sun, a mobile threats analyst at Trend Micro, said Monday in a blog post. With that cookie, an attacker could compromise the Yahoo Mail account and send out specially crafted messages. This bug also grants the attacker access to the user's inbox and messages, Sun said.

The issue appears to be in how Yahoo's Android mail client transmits data. Researchers at Lookout Mobile Security reported the app did not encrypt its communications by default. All traffic being sent by the app were being transmitted using "HTTP" protocol rather than the secure "HTTPS" protocol, researchers said in a Lookout blog post.

"Any traffic that is sent by the Yahoo Mail Android app can easily be intercepted over an open network connection such as a public WiFi network," they wrote in the post.

An attacker could sniff for Yahoo Mail-specific traffic on open wireless networks and then intercept a cookie to impersonate that user, Lookout said. Session hijacking was a "very plausible explanation" for why the messages looked as if they had been sent from mobile devices.

Android users can enable SSL within the app's General Settings to force all communications to be encrypted, according to Lookout.

Yahoo has been informed about the vulnerability, but the company hasn't commented on the flaw or offered a timeline of possible fixes. Trend Micro, meanwhile, plans to post a technical analysis of the vulnerability.

Share this article:

Sign up to our newsletters

More in News

Firefox 32 feature could cut undetected malware downloads 'in half'

Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.

EFF asks court to find NSA internet spying a violation of Fourth Amendment

EFF asks court to find NSA internet spying ...

Complete with a colorful graphic, the EFF showed a federal court how the NSA essentially runs a digital dragnet that can pick up innocent Americans.

Study: Asian Android users at higher risk of malware exposure

Cheetah Mobile's new study showed that Asian Android users have a two to three times greater risk of downloading malware onto their devices.