After a Microsoft engineer claimed an Android botnet was sending out spam from Yahoo accounts, Google denied the allegations. Now a newly discovered vulnerability in the Yahoo Mail app for Android explains how an attacker could be sending out the spam from the mobile devices.
One way spammers could be sending such large quantities of e-mail that appears as if it's being sent from Yahoo accounts used on Android devices is to exploit a Yahoo Android app vulnerability. In fact, Trend Micro says it recently uncovered a vulnerability in the Yahoo Android mail client, which can let an attacker do just that by gaining access to a user's Yahoo Mail cookie.
The bug reportedly stems from the communication between the Yahoo mail server and the Yahoo Android mail client, according to the security firm. Once the attacker has the cookie, he or she can use the compromised Yahoo Mail account to send specially-crafted messages, not to mention access the user's inbox and messages.
Zink first deduced the spam e-mails were being sent from compromised Yahoo accounts on Android devices by looking at the e-mails' header information as well as noting the "Sent from Yahoo! Mail on Android" signature. The Microsoft engineer speculated a cybercriminal had developed a new piece of malware that can access Yahoo Mail accounts on Android devices, send spam messages from them, and had linked them together to create a spam botnet.
The other option (this is what Google is pushing) is that compromised PCs connected to Yahoo Mail are inserting the message-ID and overriding Yahoo's own Message-IDs and adding the "Yahoo Mail for Android" tagline at the bottom of the message. The goal here would be to make it look like the spam was coming from Android devices.
Since Yahoo provides the originating IP address for its e-mails, it is possible to see where the spam is being sent from: Asia, Eastern Europe, the Middle East, and South America. The e-mails Zink got his hands on came from Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela. Samples analyzed by Sophos originated from Argentina, Ukraine, Pakistan, Jordan, and Russia. Trend Micro did not detail where it saw its spam e-mails coming from.
Even if you are not in any of these countries, please be careful. Android lets you download and install apps from anywhere. Please only install apps from Google Play unless you are absolutely certain you know who wrote the software you want to install.
I have contacted both Google and Yahoo about Trend Micro's findings and will update you if I hear back.