Compromised websites used to serve drive-by Android malware
In a new twist in the malware for Android story, the mobile security company Lookout has released details of a new Android malware which automatically starts downloading to the victim’s device when they visit an infected web page. Known as a “drive-by download” the malware app starts to download without the user’s permission and because it claims to be a system update it is likely that unsuspecting users will happily install it.
For a website to serve up the NotCompatible malware, as it has been dubbed, it needs to have been previously compromised by a hacker who adds some HTML to the website (specifically an iframe pointing to androidonlinefix.info or gaoanalitics.info). When a browser running on Android renders the iframe the servers at androidonlinefix.info or gaoanalitics.info send an file called Update.apk. When the website is visited with a browser on a PC no download is sent.
Current research can’t find anything particularly malicious about the NotCompatible Trojan which appears to just serve as a simple TCP relay / proxy. There is a potential threat in that corporate or government networks could be compromised by commanding the Trojan to act as a proxy allowing an outside hacker to bypass any firewalls.
“So, I was browsing to my pest company’s website on my phone when I went to the link about termites,” said georgiabiker who originally discovered the malware. “A split second after the page loads a download begins. So it is clearly some sort of malware masquerading as an update.”
One possible safe guard is that the Android device must have the install from “Unknown sources” setting enabled, if it doesn’t the installation will be blocked. However many third party Android app markets including Amazon’s Appstore require users to enable this setting.
According to Lookout, a number of websites have been compromised. However these seem to be low traffic sites and so the total number of downloads has been relatively small.