After a Microsoft engineer claimed an Android botnet is sending out spam from Yahoo accounts, Google denied the allegations. Now a newly discovered vulnerability in the Yahoo Mail app for Android explains how an attacker could be sending out the spam from the mobile devices.
Earlier this month I wrote about how Microsoft engineer Terry Zink said he discovered spam was being sent from compromised Yahoo accounts from what looked like an international Android spam botnet. Security firm Sophos as well as other security researchers backed up his claim, saying everything pointed to such a development, though nobody had found clear-cut evidence for it. Google quickly got in touch with me and denied Microsoft’s claim by saying spammers are probably using infected computers and a fake mobile signature to make it appear as if the e-mails were coming from Android devices. Now there is further proof that Microsoft may have been right, although the botnet in question has still yet to be found.
One way spammers could be sending such large quantities of e-mail that appears as if it’s being sent from Yahoo accounts used on Android devices is to exploit a Yahoo Android app vulnerability. In fact, Trend Micro says it recently uncovered a vulnerability in the Yahoo Android mail client, which can let an attacker do just that by gaining access to a user’s Yahoo Mail cookie.
The bug reportedly stems from the communication between the Yahoo mail server and the Yahoo Android mail client, according to the security firm. Once the attacker has the cookie, he or she can use the compromised Yahoo Mail account to send specially-crafted messages, not to mention access the user’s inbox and messages.
Zink fir deduced the spam e-mails were being sent from compromised Yahoo accounts on Android devices by looking at the e-mails’ header information as well as noting the “Sent from Yahoo! Mail on Android” signature. The Microsoft engineer speculated a cybercriminal had developed a new piece of malware that can access Yahoo Mail accounts on Android devices, send spam messages from them, and had linked them together to create a spam botnet.
The other option (this is what Google is pushing) is that compromised PCs connected to Yahoo Mail are inserting the message-ID and overriding Yahoo’s own Message-IDs and adding the “Yahoo Mail for Android” tagline at the bottom of the message. The goal here would be to make it look like the spam was coming from Android devices.
Since Yahoo provides the originating IP address for its e-mails, it is possible to see where the spam is being sent from: Asia, Eastern Europe, the Middle East, and South America. The e-mails Zink got his hands on came from Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela. Samples analyzed by Sophos originated from Argentina, Ukraine, Pakistan, Jordan, and Russia. Trend Micro did not detail where it saw its spam e-mails coming from.
Even if you are not in any of these countries, please be careful. Android lets you download and install apps from anywhere. Please only install apps from Google Play unless you are absolutely certain you know who wrote the software you want to install.
I have contacted both Google and Yahoo about Trend Micro’s findings and will update you if I hear back.