Just days after reports of a supposed Android botnet spam run surfaced, we found a Yahoo! Android app vulnerability, which when exploited, allows an attacker to send spammed messages using the compromised Yahoo! account.
First Spam Run via Android Botnet?
Last week, several messages were found peddling fake pharma sites or contain links leading to phishing sites. What made this spam different, however, was the use of the “Sent from Yahoo! Mail on Android” in the message signature and the “androidMobile” value mentioned in the Message-ID field. Based on reports, the IP addresses indicated in these messages were assigned to network operators and were located in developing countries.
Given these evidences, some experts surmised that the spammers may have used Android devices compromised with malicious apps. Google, however, refuted that the spam were sent from an Android botnet, stating that the spammers behind this may have used infected PCs and fake mobile signature in an attempt to bypass email filters.
Just recently, another possible scenario was proposed. Certain security researchers theorized the possibility of spammers taking advantage of a Yahoo! Android app vulnerability to compromise a mobile device and spam users with messages.
Spammers May Exploit Yahoo! Mail Android Vulnerability
Regardless of how these messages were sent, attackers exploiting a Yahoo! Android vulnerability to compromise a Yahoo! Mail account and send spam is a possibility. In fact, we recently uncovered a vulnerability in Yahoo! Android mail client, which can allow an attacker to gain access to a user’s Yahoo! Mail cookie. This bug stems from the communication between Yahoo! mail server and Yahoo! Android mail client. By gaining this cookie, the attacker can use the compromised Yahoo! Mail account to send specially-crafted messages. The said bug also enables an attacker to gain access to user’s inbox and messages.
Currently, we are coordinating with Yahoo! about this particular bug. We will also be posting a separate blog entry for our technical analysis of the vulnerability.
However spammed messages are sent, users should still be wary of spam as they pose certain risk. Users who click the links are lead to fake pharmaceutical sites offering bogus products or phishing pages asking users to divulge sensitive information. Thus, users must never download or click links contained in dubious-looking messages.
Trend Micro protects users from this threat via Smart Protection Network™, which blocks these messages. Mobile users can benefit from Trend Micro Mobile Security Personal Edition, which detects malicious Android apps.
Android users must avoid downloading apps from third-party app stores, as this increases the risk of downloading malware disguised as Android apps. To know more about how to protect your devices, you may read the following Digital Life e-Guides specific to Android users.