March 14, 2013

Still NotCompatible: A Resurgence Via Email Spam

Back in May 2012 we first reported on NotCompatible, a remote proxy threat distributed by hacked websites. Once installed, the NotCompatible malware acts as a proxy, thereby allowing its owner to transmit and receive network data through the infected device. The original threat marked the first time that hacked websites were used to specifically target and infect mobile devices. Since the initial detection, we’ve continued to actively monitor NotCompatible, and it showed relatively low activity levels with occasional moderate spikes. That’s all changed over the past few days, as we’ve seen a sudden surge in detection data across the Mobile Threat Network – peaking at almost 20,000 detections per day between Sunday and Monday this past weekend.

What’s Changed?

The technical capabilities and construction of the threat haven’t changed significantly since last May. Interestingly, in this resurgence, the distribution strategy has changed: it’s now being spread primarily via spam from hacked email accounts.

Security Alert: NotCompatible

Figure 1. A sample spam message distributing NotCompatible

Android-Specific Targeting

The original distribution campaigns for NotCompatible specifically targeted Android users by only triggering a download for browsers that reported a user-agent header that contains the word ‘Android.’ The spam links in question perform a similar targeting tactic.

Clicking a spammed link in a browser on Windows, iOS, and OSX simply directs to a fake Fox News weight loss article, as shown below.

Fake Fox News Weight Loss Article

Figure 2. Fake weight loss site that non-Android users are redirected to

When clicking the link on an Android device, the browser is redirected to an “Android Security site” for an update. Depending on the user’s Android OS Version and browser, they may be prompted about the download. Many stock browsers will transparently trigger a download to the device /Downloads folder whereas Chrome displays a confirmation dialog.

Figure 3. Fake Android Security site serving NotCompatible samples

Lookout user’s have been protected by the NotCompatible threat since May 2012, so even if a drive by download like this is successfully downloaded, Lookout’s File System Monitoring feature will detect the threat as soon as the download is complete.

Figure 4. Lookout Filesystem Monitoring actively protecting against downloaded malware

In fact, we’ve seen that this is the case for the overwhelming majority of our detections during the recent spike in activity, with only 2% of detections coming from actual installations.

How to Stay Safe

  • Avoid opening spam email. Unexpected emails from long lost friends with generic titles such as ‘hot news’ or ‘Last all Night’  or ‘You Won $1000”are normally a good indication that an email is spam.
  • Use common sense when clicking on links. If it’s not a website name that you recognize, err on the side of caution. Be especially careful when receiving links that have been ‘shortened’ (e.g. bit.ly/ABCD), as it adds an additional layer of obfuscation that is difficult to evaluate.
  • If your mobile device unexpectedly starts downloading a file that you weren’t expecting, don’t click on it – delete it!
  • Download a mobile security app like Lookout that scans for malware.
7 comments
  1. sandi says:

    I made the foolish mistake of clicking on what I assume was a NotCompatible link yesterday evening in the midst of some hectic phone calls and emails. I did get the popup from Lookout saying it was a trojan and I selected Remove. However, the same message came up again some time later, and, if I remember right, there were two new Download Complete notifications when I went to bed (with same timestamp). I turned Mobile off (I usually leave it off), but there was something odd this morning, so I rebooted the phone, and it immediately ran a couple updates and another Download Complete notification or two, even though I hadn’t turned Mobile on. Is Lookout doing this? Or does this mean my phone was infected despite Lookout’s efforts? (Eris)

  2. Give me please more, so interessting.

  3. Amazing wow, thank you for the helpfull information.

  4. I think you should tell us more, thank you it was great!

  5. That’s a great Articel, thank you for the Information.

    Greets.

  6. Dianna says:

    Do you mind if I quote a few of
    your blogposts as long as I provide
    credit and sources returning to your weblog:
    https://blog.lookout.com/blog/2013/03/14/still-notcompatible-a-resurgence-via-email-spam-2/. I am going to alo
    make certain to give youu thhe proper anchor-text link using your blog title:
    Still NotCompatible: A Resurgence Via Email Spam | The Official Lookout
    Blog. Please make sure to let me
    know if this is acceptable with you. Thank you

  7. perece says:

    Exiten otros métodos para descargar y también instalar
    Aptoide en nuestros dispositivos pero, por h” por b”, Google le ha cortado el grifo a
    Aptoide y ha eliminado su aplicación de la Play
    Store.

Leave a comment