First Site With Android Drive-By Malware Spotted
Lookout Security has spotted websites serving up the very first Android drive-by malware.
Lookout Security reports that the firm has identified several sites that are serving up malware specifically targeting the Android platform. This means anyone with an unprotected Android device will begin to download the NotCompatible malware when they visit an infected site. The drive-by download is automatic via the system's web browser.
"When the suspicious application finishes downloading, the device will display a notification prompting the user to click on the notification to install the downloaded app," Lookout reports. "In order to actually install the app to a device, it must have the 'Unknown sources' setting enabled (this feature is commonly referred to as 'sideloading'). If the device does not have the unknown sources setting enabled, the installation will be blocked."
Android users who have "unknown sources" enabled typically purchase their apps from non-Google Play sources like Amazon's Appstore or GetJar. And even though Google Play can play host to disguised malware despite Google's best efforts, device infection typically takes place because users install non-Google Play apps on their device, especially when downloading from shady repositories.
But in this case, the user simply visits a website voluntarily and downloads the malware. To prevent installation, users are suggested to switch off the "install from unknown source" setting, but again that locks them out of legit markets. The alternative is to install a security client like Lookout's own service which blocks NotCompatible, and not install APK files that that weren't voluntarily downloaded.
Still, the drive-by infection sounds epidemic in regards to the number of websites playing host to the drive-by malware. "We’re still in the process of assessing the full extent of infected sites; however, there are early indications that the number of affected sites could be numerous," the firm states.
Later Lookout said that NotCompatible is a new Android trojan that appears to serve as a simple TCP relay / proxy while posing as a system update. There doesn't seem to be any evidence that it will cause harm to the device, but it could potentially be used to turn an infected Android device into a proxy and gain illicit access to a private network.
"This specific sample, while relatively well constructed, does not appear to go to great lengths to hide its intended purpose: it can be used to access private networks. This feature in itself could be significant for system IT administrators: a device infected with NotCompatible could potentially be used to gain access to normally protected information or systems, such as those maintained by enterprise or government."
Lookout said the trojan would have to be installed manually by the end-user, fooled by the "update.apk" name.