July 5, 2012

UPDATE: Our Thoughts on the Android Spam “Botnet”

UpdateFollowing a review of our findings with Yahoo, we’re now able to provide additional details and specific recommendations for mobile users:

It’s come to our attention that Yahoo! Mail for Android does not encrypt its communications by default – it performs all its functions over HTTP, not HTTPS. This means that any traffic that is sent by the Yahoo! Mail Android app can easily be intercepted over an open network connection such as a public WiFi network. This exposes Yahoo! Mail for Android to session hijacking, a form of attack that gained mainstream attention with Firesheep in Fall of 2010.

Given this security oversight, we believe that a very plausible explanation for the SMS spam botnet reported recently involves session hijacking:

  1. An attacker could sniff for Yahoo! Mail specific traffic on open WiFi networks
  2. Unsuspecting Android users that join the WiFi network check their email using default application settings
  3. The attacker intercepts a particular cookie and can use it to impersonate that user, over whatever networks are available to them, including by tethering to a mobile network
    • This allows the attacker to send spam emails that appear 100% legitimate, as those indicated in the original reported story

We recommend that users of Yahoo! Mail for Android enable SSL within the application’s settings to protect themselves from this type of attack. From within Yahoo! Mail, simply open Options > General Settings and select ‘Enable SSL’.

In addition, all mobile users should exercise caution when connecting to open WiFi networks from a laptop or mobile device. We recommend that desktop users of Firefox or Chrome install the plugin HTTPS Everywhere to ensure that their traffic to popular sites is properly secured.

We’ve been investigating recent reports of spam being delivered by an Android botnet. While we can’t rule out malware as the cause, a more plausible explanation for this behavior appears to be insecure Android applications.


Initial reports cited information in the spam headers and message footer that indicated message origination via Android devices:

And from the comments section:

Unfortunately, this level of information is not enough to definitively identify any particular cause of the spam messages, since such information is easily replicable. In order for the botnet explanation to be valid, each of the originating devices would have to be infected with mobile malware. While this is certainly a possibility (and one that we can’t refute), there is another explanation that we believe is significantly more likely.

Regardless of how this spam campaign works, it was clear from initial reports that the Yahoo! Mail Android app may play a key role. After taking a detailed look at the app, we’ve found a number of issues that have potentially broader implications for all Android users of Yahoo! Mail. In the interest of responsible disclosure, we cannot at this time provide details around such vulnerabilities. We’ve reached out to Yahoo! with this information and they have acknowledged that their mobile team is actively working on these issues.

We’ll continue to provide updates on this posting as the situation develops.

  1. […] July 6, 9:03 a.m. PT: In a blog post, Lookout said it is easy to spoof spam headers and message footers and that a more likely […]

  2. This is an interesting finding, but not related to the spams we are seeing. The accounts we are seeing sending the spam are generated by the spammer, not legitimate Yahoo! accounts.

    Chester Wisniewski
    Sophos Inc.

  3. […] that day, however, Lookout Security said “a more plausible explanation for this behavior appears to be insecure Android […]

  4. karen says:

    application sucks. misplaced phone, unable to locate with application. sorry i downloaded. waste of space!

  5. […] (realiza todas sus funciones a través de HTTP, no de HTTPS”, según una publicación en el blog de Lookout. “Esto quiere decir que cualquier tráfico de datos que envíe la aplicación Yahoo Mail para […]

  6. […] reported recently involves event hijacking,” Lookout CTO Kevin Mahaffey wrote in an updated blog post. As we reported yesterday, Microsoft and Sophos primarily believed a spam conflict entrance from […]

Leave a comment