Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Compromised Yahoo! Accounts Used to Spread Android Trojan

Over the last several days, weeks really for some, people have noticed an uptick in the amount of spam coming from compromised Yahoo accounts. SecurityWeek staff has witnessed this uptick in spam as well. But this spam run is designed to spread malware to Android devices, so it’s likely not as simple as a weak password issue.

Over the last several days, weeks really for some, people have noticed an uptick in the amount of spam coming from compromised Yahoo accounts. SecurityWeek staff has witnessed this uptick in spam as well. But this spam run is designed to spread malware to Android devices, so it’s likely not as simple as a weak password issue.

Compromised email accounts, on services such as AOL, Yahoo, Hotmail (before it was Outlook), and Gmail have been used to spread spam for years. Often, someone has their account hijacked and an email is delivered to their entire address book requesting that the recipients follow a link somewhere. Mostly, those types of messages are pharmaceutical-based (‘Buy these pills now with no RX needed’), but some have been known to push malware that helps compromise additional email accounts.

This latest Yahoo-based spam campaign is similar. Visit the spammed link via a PC and you’ll see health-product related spam. However, access the link on an Android device, and you’re getting hit with the “NotCompatible Trojan”.

According to Android-based security vendor Lookout:

“NotCompatible is a new Android Trojan that appears to serve as a simple TCP relay / proxy while posing as a system update. This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy.”

This malware has been used before. Similar to this most recent example, those attacks also originated from spammed links via compromised email accounts that only served malware to mobile devices.

In a report from Virus Bulletin, the links used in this most recent attack are still active. The registrar responsible for maintaining them has been unresponsive to requests for help and security alerts. However, the root problem may be Yahoo’s and not the account owners – who often take the blame for these types of attacks due to weak password usage.

“We have reasons to believe that, in this case, the problem lies on Yahoo!’s side,” wrote Martijn Grooten, on the Virus Bulletin blog.

“Firstly, the volume of spam from compromised Yahoo! accounts is significantly larger than that sent from other webmail providers. We have noticed this before – and, if anything, the problem has since become worse. More importantly, from various reliable sources, we know that accounts that had not been used for a very long time have been compromised as part of this campaign.”

How was my Yahoo! Account Hacked

As mentioned, the links used in the campaign are all active, and the best advice is simply to avoid random links – even if they come from a legit Yahoo account. In this campaign, the emails often have a random subject such as “Hey” or “Christen G” and a single link. They stand out as suspicious, especially of you know the account they come from and the message is outside of the norm.

There is no word as of yet if Yahoo! has responded to Virus Bulletin.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.