Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Yahoo Defends Android App, Botnet Questions Remain

Security firm traces torrent of spam to Yahoo's failure to activate HTTPS by default in its Android app.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Is a big, bad Android botnet sending mountains of spam to unsuspecting email users?

That was the warning issued by Microsoft researcher Terry Zink last week, who said that spam traps had been capturing inordinate amounts of bogus email that had been sent using Yahoo IP addresses associated with the search giant's Android app. As security experts questioned what exactly might be happening, a Google spokesman cautioned that the available evidence didn't add up to a botnet, but rather "that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using."

Facing criticism for suggesting that there was a new Android botnet sending spam, Zink fired back, saying that whether or not the email signatures are faked, something's been sending spam via Yahoo's Android channels. "The reason these messages appear to come from Android devices is because they did come from Android devices," he said in a blog post.

[ Android isn't the only one having security problems. Read iPhone Trojan App Sneaks Past Apple Censors. ]

Other information security researchers backed up that finding. "Many, including Google, have suggested the messages are forged. We see no evidence of this. The messages are delivered to our spam traps from genuine Yahoo! servers with valid DKIM [DomainKeys identified mail] signatures," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

Yahoo, meanwhile, defended its Android app. "While our investigation into claims of a potential malware compromise operating as a botnet is ongoing, we can confirm that there is not a problem with our official Yahoo! Mail app for Android and there is no reason for users to uninstall the app," said a Yahoo spokeswoman Friday via email.

What's going on? "One of two things is happening here," said Wisniewski at Sophos. "We either have a new PC botnet that is exploiting Yahoo!'s Android APIs or we have mobile phones with some sort of malware that uses the Yahoo! APIs for sending spam messages."

But in fact, the culprit may not be malware-infected PCs, botnets, or some never-before-seen type of Android malware. According to mobile security firm Lookout Security, in fact, the problem is rather the Yahoo mail Android app's default use of HTTP. "Yahoo! Mail for Android does not encrypt its communications by default--it performs all its functions over HTTP, not HTTPS," according to a blog post from Lookout. "This means that any traffic that is sent by the Yahoo! Mail Android app can easily be intercepted over an open network connection such as a public Wi-Fi network. This exposes Yahoo! Mail for Android to session hijacking, a form of attack that gained mainstream attention with Firesheep."

Introduced in 2010, Firesheep is a Firefox plug-in that can be used on any unsecured Wi-Fi connection to hijack the session cookies of anyone sharing the same connection who logs onto a website that uses HTTP, but not HTTPS. Created by Eric Butler, the plug-in was designed to illustrate how--in his words--"on an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy." Attackers had long been able to execute credential-hijacking attacks using free, open source tools. But in the wake of Butler's plug-in release, numerous online service providers, including Facebook, added HTTPS as an option--if not always a default.

A Yahoo spokeswoman didn't immediately respond to an emailed request for comment on Lookout's theory. But according to Lookout, Yahoo's failure to use HTTPS by default means that an attacker could easily create an open Wi-Fi network, then wait for people using the Yahoo Mail app on Android to join the network, and check their email. "The attacker intercepts a particular cookie and can use it to impersonate that user, over whatever networks are available to them, including by tethering to a mobile network," said Lookout. "This allows the attacker to send spam emails that appear 100% legitimate."

Given that revelation, all Android users who employ the official Yahoo Mail app on their smartphone or tablet should immediately set the app to only check for email using HTTPS, as opposed to the default HTTP setting. According to Lookout, "from within Yahoo! Mail, simply open Options > General Settings and select 'Enable SSL.'"

Furthermore, while this latest attack targets only users of the Android Yahoo Mail app, it reinforces the need to use HTTPS whenever possible. "All mobile users should exercise caution when connecting to open Wi-Fi networks from a laptop or mobile device. We recommend that desktop users of Firefox or Chrome install the plug-in HTTPS Everywhere to ensure that their traffic to popular sites is properly secured," according to Lookout.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8913
PUBLISHED: 2020-08-12
A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2. A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a dir...
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183