Lookout has discovered that Yahoo! Mail's Android app- the center of a potential "Android botnet" investigation-doesn't encrypt data in transit, warning hackers could hijack a user's account.

Lookout has discovered that Yahoo! Mail's Android app—the center of a potential "Android botnet" investigation—doesn't encrypt user data in transit, and issued a warning that hackers could easily hijack a user's account.

Although you can enable encryption in the app's settings, by default the app doesn't secure data in transmission. Unaware users could find their entire accounts hijacked when connected to an insecure WiFi network, in the same vein as the attack in 2010.

"Given this security oversight, we believe that a very plausible explanation for the SMS spam botnet reported recently involves session hijacking," Lookout CTO Kevin Mahaffey wrote in an updated blog post. As we reported yesterday, Microsoft and Sophos initially believed a spam attack coming from Yahoo! Mail servers was related to Android's first botnet.

The "fix" is pretty simple. A user can enable SSL within the app by going to Options>General Settings, and select "Enable SSL." However, it's a little surprising that Yahoo! didn't enable encrypted communications by default.

Meanwhile Yahoo sent us the following statement:

"While our investigation into claims of a potential malware compromise operating as a botnet is ongoing, we can confirm that there is not a problem with our official Yahoo! Mail app for Android and there is no reason for users to uninstall the app."

"As one of the largest Web mail services in the world, we value our users' privacy and safety and have taken efforts across our mobile offerings, including the Yahoo! Mail app for Android, to use information in an authorized manner and according to our privacy policies. We encourage users to only install mobile apps from authorized marketplaces and also to change their passwords on a periodic basis. Yahoo! Mail also encourages consumers to educate themselves with online safety tips at security.yahoo.com. "

Mobile forensics firm viaForensics (the folks who discover the famous man-in-the-middle flaw in PayPal) ran the app through a security audit, confirmed Lookout's findings and successfully hijacked an account.

"While using the Yahoo! Mail app for Android (v1.4.4), the traffic was not encrypted over SSL (there's an option but off by default). We grabbed a cookie from their ad network and then used it to login. We were successful in doing this without ever getting the person's username or password. We then had full access to the account," said Andrew Hoog, CIO of viaForensics.

In 2010 viaForensics flunked the Yahoo! Mail app for not securely storing user names or emails.

The Android Notnet

Meanwhile, researchers are still scratching their heads over the source of Viagra-touting spam that appeared to come from hijacked Android devices. What's clear is that evidence of an "Android botnet" is thinning out by the day.