There is a much easier reason for why Yahoo! Mail Android app is suffering security issues and it doesn’t seem to be because of a botnet.
Instead, a security research firm said Yahoo! Mail’s Android app doesn’t encrypt user data in transit, and issued a warning that hackers could easily hijack a user’s account.
Although you can enable encryption in the app’s settings, by default the app doesn’t secure data in transmission. Unaware users could find their entire accounts hijacked when connected to an insecure WiFi network.
“Given this security oversight, we believe that a very plausible explanation for the SMS spam botnet reported recently involves session hijacking,” said Lookout CTO Kevin Mahaffey. Initially, Microsoft and Sophos thought a spam attack coming from Yahoo! Mail servers was Android’s first botnet.
The “fix” is pretty simple. A user can enable SSL within the app by going to Options>General Settings, and select “Enable SSL.” However, it’s a little surprising that Yahoo! didn’t enable encrypted communications by default.
“While our investigation into claims of a potential malware compromise operating as a botnet is ongoing, we can confirm that there is not a problem with our official Yahoo! Mail app for Android and there is no reason for users to uninstall the app,” Yahoo! officials said.
“As one of the largest Web mail services in the world, we value our users’ privacy and safety and have taken efforts across our mobile offerings, including the Yahoo! Mail app for Android, to use information in an authorized manner and according to our privacy policies. We encourage users to only install mobile apps from authorized marketplaces and also to change their passwords on a periodic basis. Yahoo! Mail also encourages consumers to educate themselves with online safety tips at security.yahoo.com.”
Mobile forensics firm viaForensics ran the app through a security audit, confirmed Lookout’s findings and successfully hijacked an account.
“While using the Yahoo! Mail app for Android (v1.4.4), the traffic was not encrypted over SSL (there’s an option but off by default). We grabbed a cookie from their ad network and then used it to login. We were successful in doing this without ever getting the person’s username or password. We then had full access to the account,” said Andrew Hoog, CIO of viaForensics.
In 2010 viaForensics flunked the Yahoo! Mail app for not securely storing user names or emails.