Update: Following a review of our findings with Yahoo, we’re now able to provide additional details and specific recommendations for mobile users:
It’s come to our attention that Yahoo! Mail for Android does not encrypt its communications by default – it performs all its functions over HTTP, not HTTPS. This means that any traffic that is sent by the Yahoo! Mail Android app can easily be intercepted over an open network connection such as a public WiFi network. This exposes Yahoo! Mail for Android to session hijacking, a form of attack that gained mainstream attention with Firesheep in Fall of 2010.
Given this security oversight, we believe that a very plausible explanation for the SMS spam botnet reported recently involves session hijacking:
- An attacker could sniff for Yahoo! Mail specific traffic on open WiFi networks
- Unsuspecting Android users that join the WiFi network check their email using default application settings
- The attacker intercepts a particular cookie and can use it to impersonate that user, over whatever networks are available to them, including by tethering to a mobile network
- This allows the attacker to send spam emails that appear 100% legitimate, as those indicated in the original reported story
We recommend that users of Yahoo! Mail for Android enable SSL within the application’s settings to protect themselves from this type of attack. From within Yahoo! Mail, simply open Options > General Settings and select ‘Enable SSL’.
In addition, all mobile users should exercise caution when connecting to open WiFi networks from a laptop or mobile device. We recommend that desktop users of Firefox or Chrome install the plugin HTTPS Everywhere to ensure that their traffic to popular sites is properly secured.
We’ve been investigating recent reports of spam being delivered by an Android botnet. While we can’t rule out malware as the cause, a more plausible explanation for this behavior appears to be insecure Android applications.
Initial reports cited information in the spam headers and message footer that indicated message origination via Android devices:
- Message-ID: <1341147286.19774.androidMobile@web140302.mail.bf1.yahoo.com>
- Footer: Sent from Yahoo! Mail on Android
And from the comments section:
Unfortunately, this level of information is not enough to definitively identify any particular cause of the spam messages, since such information is easily replicable. In order for the botnet explanation to be valid, each of the originating devices would have to be infected with mobile malware. While this is certainly a possibility (and one that we can’t refute), there is another explanation that we believe is significantly more likely.
Regardless of how this spam campaign works, it was clear from initial reports that the Yahoo! Mail Android app may play a key role. After taking a detailed look at the app, we’ve found a number of issues that have potentially broader implications for all Android users of Yahoo! Mail. In the interest of responsible disclosure, we cannot at this time provide details around such vulnerabilities. We’ve reached out to Yahoo! with this information and they have acknowledged that their mobile team is actively working on these issues.
We’ll continue to provide updates on this posting as the situation develops.