Yahoo Mail bugs may be behind Android 'botnet' spam, says researcher

Botnet-not-a-botnet dustup between Microsoft and Google may have another explanation, says Lookout Security: Yahoo Mail for Android vulnerabilities

Accusations that an Android-based botnet is spewing spam may, in fact, be no such thing, but instead a sign that criminals are exploiting bugs in the Yahoo Mail app for Google's mobile operating system, a security firm said today.

"There's no smoking gun, but my guess is that it's not malware," said Kevin Mahaffrey, co-founder and CTO of San Francisco-based Lookout Security, essentially dismissing the botnet possibility. "It's more likely an issue with the Yahoo Mail app."

Lookout has discovered what Mahaffrey called "potential security issues" in Yahoo's Android app, and reported its findings to the California search company's security team.

"They've acknowledged that they're looking into and working on these [issues], but until they complete their investigation, we are not disclosing any more information," Mahaffrey said in an interview Friday.

In a blog post Thursday, Lookout also said the vulnerabilities it found "have potentially broader implications for all Android users of Yahoo! Mail."

News first circulated Tuesday about a possible Android-based botnet -- if accurate, a first -- when Terry Zink, a program manager for Microsoft's enterprise-grade Forefront security product team, reported that spam messages were originating from Yahoo's servers and being sent from Android devices.

Other security researchers, including those at U.K.-based Sophos, reached the same conclusion after analyzing some of the spam messages.

Google has denied that the spam is being sent by an Android botnet.

"Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using," Google told the IDG News Service -- like Computerworld, a division of IDG -- yesterday.

Several security experts took Google's side, theorizing that the spam actually originated from a run-of-the-mill botnet composed of compromised Windows PCs, and as Google said, had been disguised as mobile mail to avoid detection.

Since Google's denial, Zink and Sophos have backtracked somewhat from their claims, but both continued to argue that an Android botnet was one of the possibilities.

Mahaffrey and Lookout, however, offered a third explanation, that Yahoo Mail on Android contained vulnerabilities that spammers were exploiting.

"The potential security issues in Yahoo Mail for Android could have allowed the type of behavior that we, and others, have witnessed," said Mahaffrey, who again declined to go into specifics until Yahoo had investigated and if necessary, fixed its app.

The current version of Yahoo Mail for Android is 1.4.4, which was last updated June 23, according to Google Play, the official Android app e-market.

Mahaffrey declined to comment when asked if Lookout's researchers had snooped through older versions of Yahoo Mail to find out if the "potential security issues" were introduced in v. 1.4.4, or had been present in earlier editions of the app.

"The jury is still out what this really is," said Mahaffrey. "There's been a lot of speculation and not a lot of proof, so we all need to take a step back and take a scientific approach to the problem. But unfortunately, the truth isn't always what gets the headlines."

Lookout continues to dig into the spam and Yahoo Mail for Android, said Mahaffrey, and the company will publish more information as it's available and in line with the concept of "reliable disclosure," a term used to describe keeping vulnerabilities secret until they're patched by the developer.

Yahoo did not reply to a request for confirmation of Mahaffrey's assertion that Yahoo Mail contained flaws that could have been used to spew spam from smartphones equipped with the app.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to or subscribe to Gregg's RSS feed .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place