Traffic Sniffing, Not Botnet, May Have Led to Android Spam Run
July 17, 2012
It's not every day that you get a security story that involves Yahoo, Google and Microsoft, but that's what has happened with the claims from a Microsoft official that there was an Android-based botnet in existence sending spam from compromised devices. Now it seems that the spam emanating from Android phones may be the result of a bug the Yahoo Mail app that enables attackers to sniff traffic and compromise users' accounts.
The original report of the spam messages coming from Android devices came from a blog post by Terry Zink, a Microsoft engineer, who said that he'd found some interesting spam samples that he thought came from Android devices that were compromised.
"All of these message are sent from Android devices. We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices. These devices login to the user’s Yahoo Mail account and send spam," Zink said in his post.
Google immediately challenged this claim, saying that no such botnet existed.
"Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using," Google said.
Researchers at Lookout Mobile Security looked at the messages and some other information and came to the conclusion that the spam may have been the result of attackers sniffing users' traffic on open networks and looking for Yahoo Mail traffic specifically.
"It’s come to our attention that Yahoo! Mail for Android does not encrypt its communications by default – it performs all its functions over HTTP, not HTTPS. This means that any traffic that is sent by the Yahoo! Mail Android app can easily be intercepted over an open network connection such as a public WiFi network. This exposes Yahoo! Mail for Android to session hijacking, a form of attack that gained mainstream attention with Firesheep in Fall of 2010," Lookout researchers said.
An attack using this vector would be fairly simple. The attacker could look for Yahoo Mail traffic on an open network, wait for a user to check his mail on the Android device and then steal the user's authentication cookie. From there, the attacker then could send mail that would exactly as if it had come from the user's account on the Android device.
This kind of attack is used all the time, especially on open WiFi networks in places such as coffee shops, airports and elsewhere. Spammers often use hijacked accounts for their spam runs, but this is the first time that a large number of spam messages have been identified as coming from mobile mail accounts that appear to have been hijacked.