New Yahoo app vulnerability explains Android spam

New Yahoo app vulnerability explains Android spam

Summary: After a Microsoft engineer claimed an Android botnet was sending out spam from Yahoo accounts, Google denied the allegations. Now a newly discovered vulnerability in the Yahoo Mail app for Android explains how an attacker could be sending out the spam from the mobile devices.

New Yahoo app vulnerability explains spam from Android devices

Earlier this month I wrote about how Microsoft engineer Terry Zink said he discovered spam was being sent from compromised Yahoo accounts via what looked like an international Android spam botnet. Sophos, as well as other security researchers, backed up his claim, saying everything pointed to such a development, though nobody had found clear-cut evidence for it. Google quickly got in touch with me and denied Microsoft's claim by saying spammers are probably using infected computers and a fake mobile signature to make it appear as if the e-mails were coming from Android devices. Now there is further proof that Microsoft may have been right, although the botnet in question has still yet to be found.

One way spammers could be sending such large quantities of e-mail that appears as if it's being sent from Yahoo accounts used on Android devices is to exploit a Yahoo Android app vulnerability. In fact, Trend Micro says it recently uncovered a vulnerability in the Yahoo Android mail client, which can let an attacker do just that by gaining access to a user's Yahoo Mail cookie.

The bug reportedly stems from the communication between the Yahoo mail server and the Yahoo Android mail client, according to the security firm. Once the attacker has the cookie, he or she can use the compromised Yahoo Mail account to send specially-crafted messages, not to mention access the user's inbox and messages.

Zink first deduced the spam e-mails were being sent from compromised Yahoo accounts on Android devices by looking at the e-mails' header information as well as noting the "Sent from Yahoo! Mail on Android" signature. The Microsoft engineer speculated a cybercriminal had developed a new piece of malware that can access Yahoo Mail accounts on Android devices, send spam messages from them, and had linked them together to create a spam botnet.

The other option (this is what Google is pushing) is that compromised PCs connected to Yahoo Mail are inserting the message-ID and overriding Yahoo's own Message-IDs and adding the "Yahoo Mail for Android" tagline at the bottom of the message. The goal here would be to make it look like the spam was coming from Android devices.

Since Yahoo provides the originating IP address for its e-mails, it is possible to see where the spam is being sent from: Asia, Eastern Europe, the Middle East, and South America. The e-mails Zink got his hands on came from Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela. Samples analyzed by Sophos originated from Argentina, Ukraine, Pakistan, Jordan, and Russia. Trend Micro did not detail where it saw its spam e-mails coming from.

Even if you are not in any of these countries, please be careful. Android lets you download and install apps from anywhere. Please only install apps from Google Play unless you are absolutely certain you know who wrote the software you want to install.

I have contacted both Google and Yahoo about Trend Micro's findings and will update you if I hear back.

See also:

Topics: Security, Android, Google, Malware, Microsoft, Mobile OS, Open Source, Operating Systems, Smartphones

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Good to get the FACTS out.

    Let's get the real FACTS out as soon as you can. Speculation on how is less beneficial until we know some more facts.
  • What about fixing Microsoft's problems?

    Now if we could only get Microsoft engineers to work on Windows and close all the holes that allow Windows to be the preferred home of botnets every where.
    • You mean like Windows 8?

      Windows is the preferred home of botnets and malware and everything else because it has the biggest market share. If Mac or Linux become more popular then it will be the next target.
      • Win 8 doesn't fix the problems currently in the field

        It is unproven whether Windows 8 will be resistant to botnets. Even if it is, big IF, that doesn't nothing to fix the problem with their previous releases which host botnets responsible for more than half of the emails sent everyday.
      • SFDD...

        Same FUD Different Day.

        In order for your statement to not be ignorantly inaccurate you must preface it with "All other things being the same, if Mac or Linux become more popular then it will be the next target."

        Both Linux and Mac, each having an install base larger than the largest of Windows botnets, are already big enough targets for hackers wanting to create a botnet. If this were easily done then there would already be reports of large botnets on these platforms.

        With Mac this has already happened recently and time will tell if Apple will rise to the occasion and make this a one time thing or if it will be plagued with such attacks for the next decade or so as Microsoft has and still suffers.
    • I'm not seeing how fixing Windows issues on a PC

      will make fix the Yahoo issue on Android.

      I'm sure you meant to follow up with more on the correlation between the two.
      William Farrel
      • Correlation?

        What do you think is the controller for the reported Android botnet, someone's phone? The botnet is likely checking in with a compromised PC or twelve. With all the compromised PC's in the world I find it amazing that Microsoft Engineers have time to throw stones when they should be working to fix their own product. I guess MS has given up on fixing their own problems and have decided we should just live with all DDOS attacks and SPAM generated by machines running their software. This whole episode is like the pot calling the wooden spoon black.
      • Now Will... I'm not sure if emabrassed is an emotion you are

        genetically predisposed to feel but won't you be embarrassed if it turns out that there is no Android botnet? There has been confirmation that the Yahoo Android app is leaking information that could be used by an attacker to gain access to the Yahoo accounts but this is hardly an android issue and hardly evidence of an Android botnet.

        "The bug reportedly stems from the communication between the Yahoo mail server and the Yahoo Android mail client, according to the security firm. Once the attacker has the cookie, he or she can use the compromised Yahoo Mail account to send specially-crafted messages, not to mention access the user's inbox and messages."

        If the communication is intercepted between the yahoo client and server software, once the attacker has the cookie why would he need an Android botnet to exploit the trust relationship. Why would anyone need to put in the work to building one on Android when they already have the authentication cookies to access Yahoo accounts and send spam when there are so many running botnets available already?

        P.S. Guess where those botnets reside?
    • Funny thing about ABMers

      It's funny how quickly some Microsoft hating moron has to turn an article about Android malware into a line of BS about fixing Windows. When will the MS haters grow up and accept the fact that other software can have flaws, too?

      • Funny thing about MS Astroturfers

        is that they still have no evidence (aside the punchline inserted at the bottom of some spam) of any actual Android botnet. Of course all software is prone to bugs and flaws but from this article, I still don't see anything else that points to added evidence of said Android botnet. This is all still speculation. So now everyone's all over the various theories on how Yahoo! Accounts are being compromised yet only the Yahoo! accounts with Android monikers get the big press?? Naturally nobody bats an eyelid at the copious quantities of Yahoo! PC Accounts spreading spam...

        Sent from my Samsung Tablet running Windows 8 Natively in an iMac G5 Emulator!
    • Rubbish

      Most nodes in PC botnets are in Third World countries, running ancient, pirated versions of Windows XP, with automatic updating disabled. In general, the failure point is the user.

      Anecdotally, most people I meet from Eastern Europe run pirated XP, installed by 'friends' for 'free'. These 'friends' also disable automatic updates, and warn not to re-enable it or risk being detected by Microsoft (or some such rubbish).
  • Is there a Bigger Problem at webmail Powered by Yahoo


    When I first read your posting earlier this month, I thought you had missed a bigger problem with Yahoo accounts.

    Here in North Carolina area and probably elsewhere, I have been receiving daily malicious spam and malware propagating through webmail usually from ATT/Bellsouth/SBC addresses "POWERED BY YAHOO". These emails come from family and friends when my email address appears in their Contacts list. One friend sent out 892 emails on a Sunday afternoon. My findings are that the PCs are NOT infected with trojans or bots.

    When I have tracked the links in the emails (sort of a "honeypot project"), it takes me to a page, but no obvious intrusion. It seems to be more of a website click count for unknown purposes.

    Through research and diagnostics, I am convinced that the ATT/Bellsouth/SBC accounts have been compromised and the passwords hacked. The email addresses are easily obtainable from chain email; the passwords are hackable with tools thus allowing entry to the webmail system. Most of my middle-aged customers have simple rather than complex passwords.

    Emil Protalinski's report above seems to have a limited scope with an Android App Vulnerability, which may not be the same as my experience. I see no evidence that the spam emails come from a moble device; in fact the opposite. Nonetheless, my findings bear some scrutiny by someone who wants to zero in the the source of the problem.

    I have about 20 of the suspect emails in my spam folder. Contact me if you want me to share.

    • I have noticed the same

      It seems like nearly everyone I know who has a Yahoo! email account has been hacked, and has had spam emails sent through their Yahoo! account to everyone in their address book. This has happened to people I know who are very security-conscious and who use complex passwords on their Yahoo! accounts, as well as people who just use something like "password" for their Yahoo! password.

      Interestingly, every time I've been asked to investigate after this has happened to someone, I find no evidence of any malware on their PC or Mac computer, and I find no evidence of the spam emails in their "Sent Mail" folder on Yahoo!, etc.

      I am convinced there must be some flaw in Yahoo!'s systems that is allowing hackers to access people's Yahoo! email accounts.

  • Google didn't write the yahoo mail app

    This is just another yahoo screwup.
  • Gogle

    they must accept the facts this is a big world, and everyone is after the big boys. Security is a big problen these days and companys that provide a service to the world are going to get hit.
  • Why isn't this issue getting more attention?

    This issue is affecting so many Yahoo email accounts - I can't believe it hasn't received more attention. I spent a few hours sleuthing this as a friend's Yahoo account was compromised this morning 11/12/2012.

    - My friend clicked on a link from a spam email that was opened in their Safari browser - url was
    - The url at the link was able to access their Yahoo webmail account - within a minute emails started going out to everyone in their address book - they were logged into Yahoo at the time

    - I looked at a bunch of the sent emails:
    -- Message-ID had the androidMobile in it. At a glance the Message-IDs looked legit.
    -- Two ips were used to send a couple hundred emails - one in Romania - and one in India
    -- The one in India is reputed to have the lethic spambot and is part of a botnet

    I'd say that indicates:
    - A security hole in Yahoo's webmail - maybe some yahoo developer script to allow XSS?
    - Existence of an Android botnet
  • Yahoo needs to step up and admit/fix this security hole,

    O.M.G. this exact same thing happened to my yahoo acct yesterday.
    my spam sent out was "check this out"
    in my sent folder, the ip address was, something to do with russia or something NOT anywhere i am (phoenix, AZ).
    I use chrome browser on Ubuntu... the link i was sent (by another yahoo victim) earlier was: that apparently caused my troubles.
    Yahoo really needs to step up and fix this.
  • Fake android message-ID?

    by the way, why do you say, in addition to a yahoo flaw, your research indicates "Existence of an Android botnet"? Based solely on a "Message-ID had the androidMobile" in it? (which, by the way, is what i saw, too)
    I was under the impression that Message-ID's are entirely fake-able. No?
    • Yes they can be faked...

      Yes Message-IDs are able to be faked and it could be that these are. But if they are being faked, why not fake them a little better? Why always pretend it's coming from Yahoo's android app - why not iPhone or webmail to mix it up a little? I also looked at numbers that come before it -- here's an example of the full id and they were very consistent - not random like you'd expect with a faked number.

      So yeah - proof of a botnet? Definitely not. Indicator? I think yes...
  • does yahoo email have an api?

    thanks CodeSmith,
    so i can't stop thinking about this; i've lots of questions :-)
    The pattern of spam (by looking at my sent folder after-the-fact) is that the spammers sent in alphbetical order by first name, a spam to everyone in my address book. it sent several per minute; rough count of 150 or so over a period of twenty minutes. It went from 'A' through 'R' in my address book -- i assume it stopped because yahoo's automated security finally threw up a 'captcha' type screen.

    So this got me to wondering -- how does anybody (i mean non-maliciously) access the address book and generate emails in yahoo? is there an api?