While on default Android Email application, my e-mail account & pass were stolen !!

Search This thread

peryp9

Senior Member
Jan 3, 2012
103
40
While on default Android Email application, my e-mail account & pass were stolen !!

This problem may or may not be related to Epic 4G Touch or to Android, but it's the second time this has happened. See attached picture and try to find the problem !!! You guessed it, I moved from NY to Mexico in about 45 min !!!


After trying different Yahoo servers listed online, using the default Email application on my Epic 4G Touch (trying to get IMAP access instead of POP3) I noticed that my e-mail account & password were stolen. All my contacts received links to websites that side-loaded viruses into their computers.


I tried the following Yahoo servers, but I'm unable to pinpoint the faulty server address (most probably it's one of the servers without ssl requirement):


A)
incoming server = android.imap.mail.yahoo.com _ port = 143 (no ssl)
outgoing smtp server = smtp.mail.yahoo.com _ port = 465 (uses ssl)

B)
incoming server = imap.mail.yahoo.com _ port = 143 (no ssl)
outgoing smtp server = smtp.mail.yahoo.com _ port = 465 (uses ssl)

C)
incoming server = pop.mail.yahoo.com _ port = 995 (uses ssl)
outgoing smtp server = smtp.mail.yahoo.com _ port = 465 (uses ssl)

D)
incoming server = pop.mail.yahoo.com _ port = 143 (no ssl)
outgoing smtp server = smtp.mobile.mail.yahoo.com _ port = 587 (no ssl)

E)
incoming server = android.imap.mail.yahoo.com _ port = 993 (uses ssl)
outgoing smtp server = smtp.mobile.mail.yahoo.com _ port = 587 (no ssl)



Please note that I copied and pasted all the servers/ports as I found them listed online. I think that I tried all the combinations above, but I can't tell which one caused the problem.


EDIT 2/21/2012:
The way I personally think this has happened is that somewhere between my phone and the Yahoo server, there's some kind of automated program, sniffing for the e-mail/password combination when trying to connect WITHOUT using a secure SLL connection.

I checked my SENT folder from Yahoo and I can see all the e-mails going out, as if I had sent them myself. The above mentioned program red my entire contacts list, sent e-mails (in groups of 8 contacts at a time) in alphabetical order, until it reached the end of the list. After that it stopped. I was only able to figure this out about 30 minutes later, when I started receiving messages from "MAILER-DAEMON@yahoo.com <MAILER-DAEMON@yahoo.com>" because some e-mails were no longer valid.


- I'm fairly knowledgeable and I know my way around computers/electronics. I'm a cautious person that understands when and where an account can be hijacked... but this caught me by surprise. If this happened to me, it can easily happen to anyone... so keep your eyes open !!!

- my e-mail password is 10 characters long (upper & lower case letters + numbers + special characters) so brute force attacks are highly unlikely.

- It cannot be a hidden keyboard reader because I also have other e-mail accounts on this phone. The only hijacked account was the one that used the listed servers above.

- I was previously using Calkulin 2.8.1 ROM and I was testing various Yahoo servers (as listed above) when it first happened. I thought the custom ROM may have some security safeguards removed...

- I performed a complete ODIN re-install of stock ROM + Root, immediately after the first time my password was stolen.

- I was using the default Email client for approximately 2 weeks (with NO problems), until I decided to go back and see if Yahoo IMAP can be implemented ... and as soon as I started putting the servers listed above, it happened a second time... e-mail password stolen.

NOTES:
A) I have a feeling that using a connection WITHOUT SSL (as listed above) somehow exposed my account's name and password combination while trying to retrieve my emails. I thought I'm safe doing this because these are Yahoo servers, so I figured this cannot be the problem. I SHOULD HAVE KNOWN BETTER !!!

B) The first time it happened, I was using the phone's 3G connection and the second time I was on my WIFI at home, so the connection to the internet cannot be the problem

C) I don't have any applications installed that could possibly hijack my account. I have all the EL29 stock apps and the following downloaded straight from Market: Angry Birds, Barcode Scanner, Netflix, Speedtest and Viber. The only non-market item is AIO MOD (http://xdaforums.com/show....php?t=1390304)




Well, did any of you have this problem on any Android phone ??? Did it happen to you on Yahoo accounts or others ?

_
 
Last edited:

Bielinsk

Senior Member
Dec 16, 2009
1,034
68
Sounds like someone hacked your account, but I don't see how this has anything to do with Android.
 

Overstew

Senior Member
Oct 3, 2010
3,980
1,665
You could have an app that's reading keystrokes and/personal data. You can try doing a virus scan with avg free (uninstall it afterwards if you don't want to keep it.)

If your password was easy to guess a bruteforce could've easily gotten it. Also do a virus scan on your pc.

Sent from my SPH-D710 using Tapatalk
 

squshy 7

Senior Member
Dec 6, 2010
1,414
450
Honestly? I'm sure yahoo is to blame...especially considering they've made their email act quirky on a lot of smartphones when not using the ymail app, I don't trust them.

Sent from my SPH-D710 using xda premium
 

peryp9

Senior Member
Jan 3, 2012
103
40
Sounds like someone hacked your account, but I don't see how this has anything to do with Android.

You may be right. It probably doesn't have anything to do with Android or the default Email application. I may be the only one that has had this problem.


The only part that I am 100 % sure about, is that it happened while setting up the servers for Yahoo on my E4GT, in the default Email application. This is the second time it has happened to me, while performing identical steps.

You could have an app that's reading keystrokes and/personal data. You can try doing a virus scan with avg free (uninstall it afterwards if you don't want to keep it.)

If your password was easy to guess a bruteforce could've easily gotten it. Also do a virus scan on your pc.

Sent from my SPH-D710 using Tapatalk


I will run some anti-viruses, but from what I was reading online, they seem to be pretty useless on Android phones.


I will post my results.
 
I had the same thing happen to me with gmail last year. I installed a free live wallpaper from the market, and 5 mind later my account was phished and (tried) to mass email all my contacts. Showed me logged in from different countries etc. luckily google email caught it and suspended the account to stop it.
I had to change my password.

.: sent from my Samsung Galaxy S II Epic 4G Touch :.
 

peryp9

Senior Member
Jan 3, 2012
103
40
Update:

I installed 3 antiviruses (Avast, Lookout and AVG Antivirus) and none of them found any problems, but I'm not surprised by this.


I was checking the Avast Firewall features and in the list I found 4 applications grouped together (I can't seem to find any references to what they perform exactly):

- SNSAccountFb
- SNSAccountLi
- SNSAccountTw
- SNS disclaimer

These applications appear legitimate (having a disclaimer installed is probably signaling a safe app) but I can't find any information about what it does.


Any help would be greatly appreciated... +1
 

oscarthegrouch

Senior Member
Jun 19, 2011
1,723
332
Social network service
facebook and twitter
I don't know what li stands for. Those can be safely renamed to like ...apk.bak or whatever, if you don't use the built in widget crap for that stuff. I would be careful when installing new apps next time. I'd probably odin the phone back to stock rooted with full data wipe. Not the nodata choice. I'd also consider using a different email client. I don't know how good k9 is but people like it. I'd also get a firewall/whitelist/blacklist app that you can set up and choose what apps and services get out on the internet.
 

sk63

Senior Member
Mar 1, 2010
444
48
35
Chicago
Update:

I installed 3 antiviruses (Avast, Lookout and AVG Antivirus) and none of them found any problems, but I'm not surprised by this.


I was checking the Avast Firewall features and in the list I found 4 applications grouped together (I can't seem to find any references to what they perform exactly):

- SNSAccountFb
- SNSAccountLi
- SNSAccountTw
- SNS disclaimer

These applications appear legitimate (having a disclaimer installed is probably signaling a safe app) but I can't find any information about what it does.


Any help would be greatly appreciated... +1

Those are all legit Samsung apps.
 

someguyatx

Senior Member
Feb 7, 2012
1,444
401
Louisville
I have been checking my yahoo account on phones for years first blackberry then android with no issues. Its likely a password issue. Try something 9 or more characters not from the dictionary or your life. Using a phrase like yahoosucks but making it y@h0osuck6 makes it tougher to crack. I probably need to update some of my passwords too.
 

peryp9

Senior Member
Jan 3, 2012
103
40
I have to say THANK YOU to all that contributed to my thread, trying to help solve this mystery.


I wanted to say the following:
- I'm fairly knowledgeable and I know my way around computers/electronics. I'm a cautious person that understands when and where an account can be hijacked... but this caught me by surprise. If this happened to me, it can easily happen to anyone... so keep your eyes open !!!

- my e-mail password is 10 characters long (upper & lower case letters + numbers + special characters) so brute force attacks are highly unlikely.

- It cannot be a hidden keyboard reader because I also have other e-mail accounts on this phone. The only hijacked account was the one that used the listed servers above.

- I was previously using Calkulin 2.8.1 ROM and I was testing various Yahoo servers (as listed above) when it first happened. I thought the custom ROM may have some security safeguards removed...

- I performed a complete ODIN re-install of stock ROM + Root, immediately after the first time my password was stolen.

- I was using the default Email client for approximately 2 weeks (with NO problems), until I decided to go back and see if Yahoo IMAP can be implemented ... and as soon as I started putting the servers listed above, it happened a second time... e-mail password stolen.

NOTES:
A) I have a feeling that using a connection WITHOUT SSL (as listed above) somehow exposed my account's name and password combination while trying to retrieve my emails. I thought I'm safe doing this because these are Yahoo servers, so I figured this cannot be the problem. I SHOULD HAVE KNOWN BETTER !!!

B) The first time it happened, I was using the phone's 3G connection and the second time I was on my WIFI at home, so the connection to the internet cannot be the problem

C) I don't have any applications installed that could possibly hijack my account. I have all the EL29 stock apps and the following downloaded straight from Market: Angry Birds, Barcode Scanner, Netflix, Speedtest and Viber. The only non-market item is AIO MOD (http://xdaforums.com/showthread.php?t=1390304)
 

rdsnyder

Member
Jan 26, 2011
32
10
This is a shot in the dark here, but did you have your yahoo account info on any past devices you no longer own? I had one of those MID tablets direct from China that I sold on craigslist. I did not include a SD card, and did 2 or 3 data wipes before selling it, and Christmas day I start getting emails thanking me for my Amazon app store purchases. Thankfully they were all free apps, I'm sure it was completely innocent - probably just some kid who got it for Christmas (poor kid, that thing was awful) but possibly something similar happened here with less innocent results?
 

peryp9

Senior Member
Jan 3, 2012
103
40
This is a shot in the dark here, but did you have your yahoo account info on any past devices you no longer own? I had one of those MID tablets direct from China that I sold on craigslist. I did not include a SD card, and did 2 or 3 data wipes before selling it, and Christmas day I start getting emails thanking me for my Amazon app store purchases. Thankfully they were all free apps, I'm sure it was completely innocent - probably just some kid who got it for Christmas (poor kid, that thing was awful) but possibly something similar happened here with less innocent results?


I see what you mean ... but no, I didn't have anything similar to your situation. The only device I had my e-mail retrieved from was a dumb phone (Blackberry 8350i) which I still own (I'm using it for morning alarm).


The way I personally think this has happened is that somewhere between my phone and the Yahoo server, there's some kind of automated program, sniffing for the e-mail/password combination when trying to connect WITHOUT using a secure SLL connection.

I checked my SENT folder from Yahoo and I can see all the e-mails going out, as if I had sent them myself. The above mentioned program red my entire contacts list, sent e-mails (in groups of 8 contacts at a time) in alphabetical order, until it reached the end of the list. After that it stopped. I was only able to figure this out about 30 minutes later, when I started receiving messages from "MAILER-DAEMON@yahoo.com <MAILER-DAEMON@yahoo.com>" because some e-mails were no longer valid.
 

&roid

Senior Member
Mar 2, 2011
600
125
I recently had some troubles with password theft in the email I used in the default mail program. I don't have Yahoo, but I use my ISP email service Cox. I had it happen twice as well, and didn't find any detectable issues on antivirus programs. I've been using MIUI ROM for the last few weeks and have not had any troubles since. I've never had a password problem before this happened. I doubt it's my phone ROM, I was using calks EL29 and his stuff has always been great. I'm not aware of having any weird free apps either, but who knows. Perhaps something blindly gained root access or something.
 

gtuansdiamm

Senior Member
Nov 15, 2010
3,038
493
New York
I went from ny to texas once but i later after i changed my password found it to be the im client i used
Trillian

Sent from my SPH-D710 using xda premium
 

kcbedo

Member
Nov 30, 2009
44
34
I think Yahoo's servers are being hacked somehow. I know three people that were hacked on Sunday at exactly the same time.

Yahoo has added a new Second Sign On Verification option you ought to turn on.
 

ElAguila

Senior Member
Mar 12, 2007
2,408
100
San Antonio
I am pretty sure this is a yahoo issue. My sister's account was hacked at 4 am this morning and she doesn't have an android device. She uses her pc. This is the second time this has happened to yahoo users that I know of.