Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,733,198 Members 40,578 Now Online
XDA Developers Android and Mobile Development Forum

While on default Android Email application, my e-mail account & pass were stolen !!

Tip us?
 
peryp9
Old
(Last edited by peryp9; 22nd February 2012 at 02:06 AM.) Reason: small details
#1  
Senior Member - OP
Thanks Meter 38
Posts: 103
Join Date: Jan 2012
Default While on default Android Email application, my e-mail account & pass were stolen !!

This problem may or may not be related to Epic 4G Touch or to Android, but it's the second time this has happened. See attached picture and try to find the problem !!! You guessed it, I moved from NY to Mexico in about 45 min !!!


After trying different Yahoo servers listed online, using the default Email application on my Epic 4G Touch (trying to get IMAP access instead of POP3) I noticed that my e-mail account & password were stolen. All my contacts received links to websites that side-loaded viruses into their computers.


I tried the following Yahoo servers, but I'm unable to pinpoint the faulty server address (most probably it's one of the servers without ssl requirement):


A)
incoming server = android.imap.mail.yahoo.com _ port = 143 (no ssl)
outgoing smtp server = smtp.mail.yahoo.com _ port = 465 (uses ssl)

B)
incoming server = imap.mail.yahoo.com _ port = 143 (no ssl)
outgoing smtp server = smtp.mail.yahoo.com _ port = 465 (uses ssl)

C)
incoming server = pop.mail.yahoo.com _ port = 995 (uses ssl)
outgoing smtp server = smtp.mail.yahoo.com _ port = 465 (uses ssl)

D)
incoming server = pop.mail.yahoo.com _ port = 143 (no ssl)
outgoing smtp server = smtp.mobile.mail.yahoo.com _ port = 587 (no ssl)

E)
incoming server = android.imap.mail.yahoo.com _ port = 993 (uses ssl)
outgoing smtp server = smtp.mobile.mail.yahoo.com _ port = 587 (no ssl)



Please note that I copied and pasted all the servers/ports as I found them listed online. I think that I tried all the combinations above, but I can't tell which one caused the problem.


EDIT 2/21/2012:
The way I personally think this has happened is that somewhere between my phone and the Yahoo server, there's some kind of automated program, sniffing for the e-mail/password combination when trying to connect WITHOUT using a secure SLL connection.

I checked my SENT folder from Yahoo and I can see all the e-mails going out, as if I had sent them myself. The above mentioned program red my entire contacts list, sent e-mails (in groups of 8 contacts at a time) in alphabetical order, until it reached the end of the list. After that it stopped. I was only able to figure this out about 30 minutes later, when I started receiving messages from "MAILER-DAEMON@yahoo.com <MAILER-DAEMON@yahoo.com>" because some e-mails were no longer valid.


- I'm fairly knowledgeable and I know my way around computers/electronics. I'm a cautious person that understands when and where an account can be hijacked... but this caught me by surprise. If this happened to me, it can easily happen to anyone... so keep your eyes open !!!

- my e-mail password is 10 characters long (upper & lower case letters + numbers + special characters) so brute force attacks are highly unlikely.

- It cannot be a hidden keyboard reader because I also have other e-mail accounts on this phone. The only hijacked account was the one that used the listed servers above.

- I was previously using Calkulin 2.8.1 ROM and I was testing various Yahoo servers (as listed above) when it first happened. I thought the custom ROM may have some security safeguards removed...

- I performed a complete ODIN re-install of stock ROM + Root, immediately after the first time my password was stolen.

- I was using the default Email client for approximately 2 weeks (with NO problems), until I decided to go back and see if Yahoo IMAP can be implemented ... and as soon as I started putting the servers listed above, it happened a second time... e-mail password stolen.

NOTES:
A) I have a feeling that using a connection WITHOUT SSL (as listed above) somehow exposed my account's name and password combination while trying to retrieve my emails. I thought I'm safe doing this because these are Yahoo servers, so I figured this cannot be the problem. I SHOULD HAVE KNOWN BETTER !!!

B) The first time it happened, I was using the phone's 3G connection and the second time I was on my WIFI at home, so the connection to the internet cannot be the problem

C) I don't have any applications installed that could possibly hijack my account. I have all the EL29 stock apps and the following downloaded straight from Market: Angry Birds, Barcode Scanner, Netflix, Speedtest and Viber. The only non-market item is AIO MOD (http://forum.xda-developers.com/show....php?t=1390304)




Well, did any of you have this problem on any Android phone ??? Did it happen to you on Yahoo accounts or others ?

_
Attached Thumbnails
Click image for larger version

Name:	E-mail Recent Activity.JPG
Views:	314
Size:	96.6 KB
ID:	911844  
 
Bielinsk
Old
#2  
Senior Member
Thanks Meter 67
Posts: 1,001
Join Date: Dec 2009
Sounds like someone hacked your account, but I don't see how this has anything to do with Android.
 
Overstew
Old
#3  
Senior Member
Thanks Meter 1654
Posts: 3,911
Join Date: Oct 2010
You could have an app that's reading keystrokes and/personal data. You can try doing a virus scan with avg free (uninstall it afterwards if you don't want to keep it.)

If your password was easy to guess a bruteforce could've easily gotten it. Also do a virus scan on your pc.

Sent from my SPH-D710 using Tapatalk
 
squshy 7
Old
#4  
Senior Member
Thanks Meter 450
Posts: 1,406
Join Date: Dec 2010
Honestly? I'm sure yahoo is to blame...especially considering they've made their email act quirky on a lot of smartphones when not using the ymail app, I don't trust them.

Sent from my SPH-D710 using xda premium
[21:22] <Shabbypenguin> but the nexus... well its gunna be better than sex
 
peryp9
Old
#5  
Senior Member - OP
Thanks Meter 38
Posts: 103
Join Date: Jan 2012
Quote:
Originally Posted by Bielinsk View Post
Sounds like someone hacked your account, but I don't see how this has anything to do with Android.
You may be right. It probably doesn't have anything to do with Android or the default Email application. I may be the only one that has had this problem.


The only part that I am 100 % sure about, is that it happened while setting up the servers for Yahoo on my E4GT, in the default Email application. This is the second time it has happened to me, while performing identical steps.

Quote:
Originally Posted by Overstew View Post
You could have an app that's reading keystrokes and/personal data. You can try doing a virus scan with avg free (uninstall it afterwards if you don't want to keep it.)

If your password was easy to guess a bruteforce could've easily gotten it. Also do a virus scan on your pc.

Sent from my SPH-D710 using Tapatalk

I will run some anti-viruses, but from what I was reading online, they seem to be pretty useless on Android phones.


I will post my results.
 
hayabusa1300cc
Old
#6  
hayabusa1300cc's Avatar
Senior Member
Thanks Meter 570
Posts: 1,981
Join Date: Jun 2007
Location: HOUSTON TEXAS
I had the same thing happen to me with gmail last year. I installed a free live wallpaper from the market, and 5 mind later my account was phished and (tried) to mass email all my contacts. Showed me logged in from different countries etc. luckily google email caught it and suspended the account to stop it.
I had to change my password.

.: sent from my Samsung Galaxy S II Epic 4G Touch :.
Smartphonespc6700<htc mogul<htc diamond<htc hero<htc evo<samsung epic 4g<motorola photon 4g<samsung galaxy s ii epic 4g touch<Samsung Galaxy Siii epic 4glte touch S3<Samsung Galaxy Note II *catches breath*
 
peryp9
Old
#7  
Senior Member - OP
Thanks Meter 38
Posts: 103
Join Date: Jan 2012
Update:

I installed 3 antiviruses (Avast, Lookout and AVG Antivirus) and none of them found any problems, but I'm not surprised by this.


I was checking the Avast Firewall features and in the list I found 4 applications grouped together (I can't seem to find any references to what they perform exactly):

- SNSAccountFb
- SNSAccountLi
- SNSAccountTw
- SNS disclaimer

These applications appear legitimate (having a disclaimer installed is probably signaling a safe app) but I can't find any information about what it does.


Any help would be greatly appreciated... +1
 
oscarthegrouch
Old
#8  
Senior Member
Thanks Meter 324
Posts: 1,676
Join Date: Jun 2011
Social network service
facebook and twitter
I don't know what li stands for. Those can be safely renamed to like ...apk.bak or whatever, if you don't use the built in widget crap for that stuff. I would be careful when installing new apps next time. I'd probably odin the phone back to stock rooted with full data wipe. Not the nodata choice. I'd also consider using a different email client. I don't know how good k9 is but people like it. I'd also get a firewall/whitelist/blacklist app that you can set up and choose what apps and services get out on the internet.
 
sk63
Old
#9  
Senior Member
Thanks Meter 43
Posts: 434
Join Date: Mar 2010
Location: Chicago
Quote:
Originally Posted by peryp9 View Post
Update:

I installed 3 antiviruses (Avast, Lookout and AVG Antivirus) and none of them found any problems, but I'm not surprised by this.


I was checking the Avast Firewall features and in the list I found 4 applications grouped together (I can't seem to find any references to what they perform exactly):

- SNSAccountFb
- SNSAccountLi
- SNSAccountTw
- SNS disclaimer

These applications appear legitimate (having a disclaimer installed is probably signaling a safe app) but I can't find any information about what it does.


Any help would be greatly appreciated... +1
Those are all legit Samsung apps.
 
someguyatx
Old
#10  
someguyatx's Avatar
Senior Member
Thanks Meter 347
Posts: 1,277
Join Date: Feb 2012
Location: Louisville
I have been checking my yahoo account on phones for years first blackberry then android with no issues. Its likely a password issue. Try something 9 or more characters not from the dictionary or your life. Using a phrase like yahoosucks but making it y@h0osuck6 makes it tougher to crack. I probably need to update some of my passwords too.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


TRENDING IN THEMER...