March 14, 2013

Still NotCompatible: A Resurgence Via Email Spam

Back in May 2012 we first reported on NotCompatible, a remote proxy threat distributed by hacked websites. Once installed, the NotCompatible malware acts as a proxy, thereby allowing its owner to transmit and receive network data through the infected device. The original threat marked the first time that hacked websites were used to specifically target and infect mobile devices. Since the initial detection, we’ve continued to actively monitor NotCompatible, and it showed relatively low activity levels with occasional moderate spikes. That’s all changed over the past few days, as we’ve seen a sudden surge in detection data across the Mobile Threat Network – peaking at almost 20,000 detections per day between Sunday and Monday this past weekend.

What’s Changed?

The technical capabilities and construction of the threat haven’t changed significantly since last May. Interestingly, in this resurgence, the distribution strategy has changed: it’s now being spread primarily via spam from hacked email accounts.

Security Alert: NotCompatible

Figure 1. A sample spam message distributing NotCompatible

Android-Specific Targeting

The original distribution campaigns for NotCompatible specifically targeted Android users by only triggering a download for browsers that reported a user-agent header that contains the word ‘Android.’ The spam links in question perform a similar targeting tactic.

Clicking a spammed link in a browser on Windows, iOS, and OSX simply directs to a fake Fox News weight loss article, as shown below.

Fake Fox News Weight Loss Article

Figure 2. Fake weight loss site that non-Android users are redirected to

When clicking the link on an Android device, the browser is redirected to an “Android Security site” for an update. Depending on the user’s Android OS Version and browser, they may be prompted about the download. Many stock browsers will transparently trigger a download to the device /Downloads folder whereas Chrome displays a confirmation dialog.

Figure 3. Fake Android Security site serving NotCompatible samples

Lookout user’s have been protected by the NotCompatible threat since May 2012, so even if a drive by download like this is successfully downloaded, Lookout’s File System Monitoring feature will detect the threat as soon as the download is complete.

Figure 4. Lookout Filesystem Monitoring actively protecting against downloaded malware

In fact, we’ve seen that this is the case for the overwhelming majority of our detections during the recent spike in activity, with only 2% of detections coming from actual installations.

How to Stay Safe

  • Avoid opening spam email. Unexpected emails from long lost friends with generic titles such as ‘hot news’ or ‘Last all Night’  or ‘You Won $1000”are normally a good indication that an email is spam.
  • Use common sense when clicking on links. If it’s not a website name that you recognize, err on the side of caution. Be especially careful when receiving links that have been ‘shortened’ (e.g., as it adds an additional layer of obfuscation that is difficult to evaluate.
  • If your mobile device unexpectedly starts downloading a file that you weren’t expecting, don’t click on it – delete it!
  • Download a mobile security app like Lookout that scans for malware.
  1. Give me please more, so interessting.

  2. Amazing wow, thank you for the helpfull information.

  3. I think you should tell us more, thank you it was great!

  4. That’s a great Articel, thank you for the Information.


Leave a comment