Compromised websites used to serve drive-by Android malware

May 3, 2012

virus 1

In a new twist in the malware for Android story, the mobile security company Lookout has released details of a new Android malware which automatically starts downloading to the victim’s device when they visit an infected web page. Known as a “drive-by download” the malware app starts to download without the user’s permission and because it claims to be a system update it is likely that unsuspecting users will happily install it.

For a website to serve up theĀ NotCompatibleĀ malware, as it has been dubbed, Ā it needs to have been previously compromised by a hacker who adds some HTML to the website (specificallyĀ an iframe Ā pointing to androidonlinefix.info orĀ gaoanalitics.info). When a browser running on Android renders the iframe the servers at androidonlinefix.info orĀ gaoanalitics.info send an file called Update.apk. When the website is visited with a browser on a PC no download is sent.

Current research can’t find anythingĀ particularlyĀ maliciousĀ about the NotCompatible Trojan whichĀ appears to just serve as a simple TCP relay / proxy. There is a potential threat in thatĀ corporateĀ or governmentĀ networks could be compromised by commanding theĀ TrojanĀ to act as a proxy allowing an outside hacker to bypass any firewalls.

“So, I was browsing to my pest company’s website on my phone when I went to the link about termites,” saidĀ georgiabiker who originally discovered the malware. “A split second after the page loads a download begins. So it is clearly some sort of malware masquerading as an update.”

One possible safe guard is that the Android device must have the install from “Unknown sources” setting enabled, Ā if it doesn’t the installation will be blocked. However many third party Android app markets including Amazon’s Appstore require users to enable this setting.

According to Lookout, aĀ number of websites have been compromised. However these seem to be low traffic sites and so the total number of downloads has beenĀ relativelyĀ small.

Comments

  • Mike Cermak

    So, I’m not entirely sure what impact this would have, unless I’m missing something. While the “infection” is drive-by, all it does is download an .apk. That .apk would still need to be independently executed to, in fact, be harmful, right? I don’t think there’s anything about the use of the filename update.apk that would cause it to auto-execute (granted, the meatsack operating the device might be tempted to execute it, but that’s social engineering).

  • http://www.garysims.co.uk garysims

    I think for the moment the impact is minimal, but this is the first example of a malware delivered by drive-by download for Android. Coupled with the correct social engineering it could become an effective malware delivery system.

    Gary