Android malware used to mask online fraud, says expert
'NotCompatible' downloads automatically as soon as an Android user browses to a compromised website, says Lookout
Computerworld - Android malware being automatically distributed from hacked websites looks like it's being used to mask online purchases, and could be part of a fraud gang's new push into mobile, researchers said today.
"The malware essentially turns your Android phone into a tunnel that can bounce network traffic off your phone," said Kevin Mahaffrey, co-founder and CTO of Lookout Security, a San Francisco-based firm that focuses on Android.
Lookout first published information about the new malware, dubbed "NotCompatible," on Wednesday. Further analysis, however, has revealed the most likely reason why cyber criminals are spreading the malware.
"There are a couple of ways they can profit from this," said Mahaffrey in an interview. "One is general online fraud, the other is targeted attacks against enterprises. We haven't seen any evidence [of the latter], and have confirmed that it is engaged in online purchasing activity."
Once installed, NotCompatible turns an infected Android device into a proxy, through which hackers can then direct data packets, in essence disguising the real source of that traffic by using the compromised devices as middlemen.
Lookout has monitored traffic through NotCompatible-infected Android devices to purchase tickets via TicketMaster, for example, as well as other goods and services.
It's almost certain that the controllers of NotCompatible are using stolen credit cards to purchase products, said Mahaffrey: There's little reason to divert traffic through a proxy if the purchases are legitimate.
NotCompatible uses a never-seen-on-Android attack vector, Mahaffrey and other security experts said this week. "This is the first time that [attackers] have used legitimate websites to serve Android malware," said Mahaffrey. "That's what caught our eye.... We see Android malware all the time, but it's usually served using social engineering."
Mahaffrey was referring to the tactic of enticing users to download and install Trojan horses posing as legitimate apps.
When Android phones or tablets browse to one of the compromised websites, the devices are shunted to hacker-controlled servers, which then automatically download NotCompatible. The malware poses as a security update and asks the user to approve the installation.
While some media reports have characterized NotCompatible as a "drive-by" attack, that's not entirely accurate, said both Mahaffrey and Liam O Murchu, manager of operations with Symantec's security response team. At least not according to the usual definition of the term.
"Drive-by" typically describes attacks that are automatically triggered as soon as a user browses to an infected website, and rely on unpatched vulnerabilities to install malware.
That's not the case with NotCompatible, which although it's downloaded to an Android phone or tablet automatically, still requires some help from the user to be installed. NotCompatible does not exploit an Android vulnerability.
Google's Android OS
- Review: 5 video editing apps for Android
- Malware-infected Android apps spike in the Google Play store
- Nokia plans forked Android smartphone for Barcelona unveiling
- LG G Flex deep-dive review: The curious case of the curved phone
- Xperia Z1S deep-dive review: A stylish phone with power and panache
- Low-end smartphone battle forces Nokia to Android
- Moto G real-world review: The best budget phone money can buy
- Google escalates offensive against Office with Android 'KitKat'
- Galaxy Note 3 deep-dive review: A plus-sized phone with perks and quirks
- LG G2 deep-dive review: Extraordinary hardware in an ordinary phone
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Review: Box beats Dropbox - and all the rest - for business Box trumps Dropbox, Engyte, Citrix ShareFile, EMC Syncplicity, and OwnCloud with rich mix of file sync, file sharing, user management, deep reporting and...
- Analyst Report-Mixed All Flash Arrays Delivers Safer Higher Performance What is the impact of an all-flash array with enterprise features and reliability on the mainstream data center? In the mainstream environment, storage...
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
All Malware and Vulnerabilities White Papers |