What Lookout Mobile Security has uncovered is that by default the official Yahoo! Mail app for Android does not have any security enabled. There is an option to use SSL, but for some reason it is turned off by default. Yahoo claims otherwise but others have found the same thing in the app and established that SSL is off by default when donwloading the application from the Android store.
One of the other things that doing this would do is give them the same session ID as the user in question. This would explain why Sophos saw the data that they claimed would be almost impossible to spoof. Lookout has an excellent analysis of how this works on their site:
1. An attacker could sniff for Yahoo! Mail specific traffic on open WiFi networks
2. Unsuspecting Android users that join the WiFi network check their email using default application settings 3. The attacker intercepts a particular cookie and can use it to impersonate that user, over whatever networks are available to them, including by tethering to a mobile network This allows the attacker to send spam emails that appear 100% legitimate, as those indicated in the original reported story. |
So it appears that Microsoft and Sophos are very possibly wrong about the first Android Botnet. In all likelyhood this is a series of session hijacks that are being used to send out the spam and not the botnet that Microsoft Engineer Terry Zink claimed. What is interesting is that in a follow up post to his blog he shows that he prefers the likely hood of an Android Botnet over other possibilities with his comment.
“In comments of various blogs a lot of people have suggested that these headers are spoofed, or there was a botnet connecting to Yahoo Mail from a Windows PC and sent mail that way. Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices.
On the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices. Before writing my previous post, I considered both options but selected the latter.” |
We will let you be the judge here, but as more data comes out it looks like Zink and Sophos did not do a complete investigation, but were excited about the possibility of an Android Botnet (the first one ever) and let that thought influence their conclusions. We will be following up on this and will let you know what the final outcome is, but our money in on a session hijack or spoofing the message IDs considering that both have been done before.
Discuss this in our Forum