Yahoo Android App Lets Attackers Send Spam

Thomas Brewster,

Yahoo says a flaw in its Android Mail app affects a limited number of users

Yahoo has confirmed a vulnerability in its Mail app for Android is affecting a portion of its customers.

Some had suspected such a flaw was the actual cause of a spam campaign, which a number of researchers had initially claimed was caused by an Android botnet.

Microsoft engineer Terry Zink thought he had identified the first real evidence of an Android spamming botnet, having come across spam messages claiming to come from Yahoo accounts accessed on Google’s Android operating system. Sophos also believed it was likely an Android botnet was responsible for the spam.

Google subsequently denied Zink’s suggestion, claiming its research suggested spammers were “using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they’re using.”

Other theories emerged, including one from security firm Lookout, which said it knew of vulnerabilities in the Yahoo Mail app for Android. Trend Micro also said it had uncovered a Yahoo! Android app vulnerability, which when exploited, allowed an attacker to send spammed messages using the compromised Yahoo account.

“We recently uncovered a vulnerability in Yahoo Android mail client, which can allow an attacker to gain access to a user’s Yahoo Mail cookie,” the firm wrote in a blog post. “This bug stems from the communication between Yahoo mail server and Yahoo Android mail client. By gaining this cookie, the attacker can use the compromised Yahoo Mail account to send specially-crafted messages. The said bug also enables an attacker to gain access to user’s inbox and messages.”

Yahoo opens up

In response to Trend’s findings, Yahoo said it had “learned of an isolated security vulnerability in the Yahoo Mail Android app. “Our analysis indicates that this vulnerability only arises when several external conditions coincide and, as such, is currently only affecting a small number of our Android users,” a spokesperson told TechWeekEurope. “We are actively working on resolving this issue and thank the security community for bringing it to our attention.”

Yahoo’s admittance might now finally put the rumours of a botnet of infected Android devices to rest. But Android is still being pummelled by cyber criminals.

Earlier this month, it emerged that over 100,000 had downloaded rogue Android apps from the official Google Play store, disguising themselves as popular Mario and Grand Theft Auto titles. Another 100,000 had downloaded Android malware from a third-party store in China, which was surreptitiously buying up apps on China Mobile’s Mobile Market.

Are you a security guru? Try our quiz!