Yahoo has confirmed a vulnerability in its Mail app for Android is affecting a portion of its customers.
Some had suspected such a flaw was the actual cause of a spam campaign, which a number of researchers had initially claimed was caused by an Android botnet.
Microsoft engineer Terry Zink thought he had identified the first real evidence of an Android spamming botnet, having come across spam messages claiming to come from Yahoo accounts accessed on Google’s Android operating system. Sophos also believed it was likely an Android botnet was responsible for the spam.
Other theories emerged, including one from security firm Lookout, which said it knew of vulnerabilities in the Yahoo Mail app for Android. Trend Micro also said it had uncovered a Yahoo! Android app vulnerability, which when exploited, allowed an attacker to send spammed messages using the compromised Yahoo account.
“We recently uncovered a vulnerability in Yahoo Android mail client, which can allow an attacker to gain access to a user’s Yahoo Mail cookie,” the firm wrote in a blog post. “This bug stems from the communication between Yahoo mail server and Yahoo Android mail client. By gaining this cookie, the attacker can use the compromised Yahoo Mail account to send specially-crafted messages. The said bug also enables an attacker to gain access to user’s inbox and messages.”
In response to Trend’s findings, Yahoo said it had “learned of an isolated security vulnerability in the Yahoo Mail Android app. “Our analysis indicates that this vulnerability only arises when several external conditions coincide and, as such, is currently only affecting a small number of our Android users,” a spokesperson told TechWeekEurope. “We are actively working on resolving this issue and thank the security community for bringing it to our attention.”
Yahoo’s admittance might now finally put the rumours of a botnet of infected Android devices to rest. But Android is still being pummelled by cyber criminals.
Earlier this month, it emerged that over 100,000 had downloaded rogue Android apps from the official Google Play store, disguising themselves as popular Mario and Grand Theft Auto titles. Another 100,000 had downloaded Android malware from a third-party store in China, which was surreptitiously buying up apps on China Mobile’s Mobile Market.
Are you a security guru? Try our quiz!
Tesla makes key advances toward advanced self-driving rollout in China as chief Elon Musk meets…
New UK rules bring in basic security requirements for millions of internet-connected devices, aiming to…
Google parent Alphabet sees market capitalisation surge over $2tn on plan to over first-ever cash…
Google asks Virginia federal court to dismiss case brought by US Justice Department and eight…
Snapchat parent Snap reports user growth, revenues in spite of tough competition, in what may…
Quick-growing fast-fashion company Shein must comply with most stringent level of EU digital rules after…