Android malware being automatically distributed from hacked websites looks like it's being used to mask online purchases, and could be part of a fraud gang's new push into mobile, researchers said today.
"The malware essentially turns your Android phone into a tunnel that can bounce network traffic off your phone," said Kevin Mahaffrey, co-founder and CTO of Lookout Security, a San Francisco-based firm that focuses on Android.
Lookout first published information about the new malware, dubbed "NotCompatible," on Wednesday. Further analysis, however, has revealed the most likely reason why cyber criminals are spreading the malware.
"There are a couple of ways they can profit from this," said Mahaffrey in an interview. "One is general online fraud, the other is targeted attacks against enterprises. We haven't seen any evidence [of the latter], and have confirmed that it is engaged in online purchasing activity."
Once installed, NotCompatible turns an infected Android device into a proxy, through which hackers can then direct data packets, in essence disguising the real source of that traffic by using the compromised devices as middlemen.
Lookout has monitored traffic through NotCompatible-infected Android devices to purchase tickets via TicketMaster, for example, as well as other goods and services.
It's almost certain that the controllers of NotCompatible are using stolen credit cards to purchase products, said Mahaffrey: There's little reason to divert traffic through a proxy if the purchases are legitimate.
NotCompatible uses a never-seen-on-Android attack vector, Mahaffrey and other security experts said this week. "This is the first time that [attackers] have used legitimate websites to serve Android malware," said Mahaffrey. "That's what caught our eye.... We see Android malware all the time, but it's usually served using social engineering."
Mahaffrey was referring to the tactic of enticing users to download and install Trojan horses posing as legitimate apps.
When Android phones or tablets browse to one of the compromised websites, the devices are shunted to hacker-controlled servers, which then automatically download NotCompatible. The malware poses as a security update and asks the user to approve the installation.
While some media reports have characterized NotCompatible as a "drive-by" attack, that's not entirely accurate, said both Mahaffrey and Liam O Murchu, manager of operations with Symantec's security response team. At least not according to the usual definition of the term.
"Drive-by" typically describes attacks that are automatically triggered as soon as a user browses to an infected website, and rely on unpatched vulnerabilities to install malware.
That's not the case with NotCompatible, which although it's downloaded to an Android phone or tablet automatically, still requires some help from the user to be installed. NotCompatible does not exploit an Android vulnerability.
Only devices that allow app installation from 'Unknown Sources' -- in other words, from sites or e-markets beyond the official Google Play app store -- are susceptible to infection, said Lookout and Symantec, which has also dug into NotCompatible.
Such installations, called "sideloading," are often a trait of corporate-owned or -managed devices, since the setting lets IT administrators, or employees for that matter, download and install company-designed apps.
That was one of the reasons Lookout first suspected that the malware was targeting enterprises, perhaps using the Android proxies as a way to conduct reconnaissance of corporate resources, or even using them to transfer stolen data from hacked businesses.
Lookout and Symantec disagreed on the number of compromised sites that were redirecting users to servers offering NotCompatible.
Mahaffey said that Lookout had only confirmed the existence of "tens of sites" infected with the rogue "iframe" element that redirected devices to the malware-hosting servers. However, he did say that there was a far larger number of sites that showed signs of infection; Mahaffrey declined to estimate the number of the latter.
In a separate interview, Symantec's O Murchu put the number of compromised sites at around 1,000.
Both experts said that the hacker-operated servers that were the actual source of NotCompatible have been taken offline.
For Mahaffrey, the NotCompatible campaign is yet another sign of the continued evolution in mobile hacking and malware, which has become increasing aggressive and sophisticated of late. "Mobile malware is exiting the test stage," Mahaffrey argued. "[Cyber criminals] who have been doing this kind of thing for years on the PC have been shifting to mobile."
As proof, Mahaffrey cited Lookout's suspicion that a single player was not behind NotCompatible, but that instead it was the coordinated work of multiple groups, each responsible for a part of the attack and the malware's underlying profit-making infrastructure.
"[NotCompatible's makers] may be selling some sort of online proxy service to others," Mahaffrey said. "Those using these Android proxies may not even know what [the hackers] are doing."
Mahaffrey called the NotCompatible code "well-written and very stable" at one point in the interview. "It's engineered very well, which is fairly different from most Android malware," he said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.