Sign in with
Sign up | Sign in

First Site With Android Drive-By Malware Spotted

By - Source: Lookout Security | B 6 comments

Lookout Security has spotted websites serving up the very first Android drive-by malware.

Lookout Security reports that the firm has identified several sites that are serving up malware specifically targeting the Android platform. This means anyone with an unprotected Android device will begin to download the NotCompatible malware when they visit an infected site. The drive-by download is automatic via the system's web browser.

"When the suspicious application finishes downloading, the device will display a notification prompting the user to click on the notification to install the downloaded app," Lookout reports. "In order to actually install the app to a device, it must have the 'Unknown sources' setting enabled (this feature is commonly referred to as 'sideloading'). If the device does not have the unknown sources setting enabled, the installation will be blocked."

Android users who have "unknown sources" enabled typically purchase their apps from non-Google Play sources like Amazon's Appstore or GetJar. And even though Google Play can play host to disguised malware despite Google's best efforts, device infection typically takes place because users install non-Google Play apps on their device, especially when downloading from shady repositories.

But in this case, the user simply visits a website voluntarily and downloads the malware. To prevent installation, users are suggested to switch off the "install from unknown source" setting, but again that locks them out of legit markets. The alternative is to install a security client like Lookout's own service which blocks NotCompatible, and not install APK files that that weren't voluntarily downloaded.

Still, the drive-by infection sounds epidemic in regards to the number of websites playing host to the drive-by malware. "We’re still in the process of assessing the full extent of infected sites; however, there are early indications that the number of affected sites could be numerous," the firm states.

Later Lookout said that NotCompatible is a new Android trojan that appears to serve as a simple TCP relay / proxy while posing as a system update. There doesn't seem to be any evidence that it will cause harm to the device, but it could potentially be used to turn an infected Android device into a proxy and gain illicit access to a private network.

"This specific sample, while relatively well constructed, does not appear to go to great lengths to hide its intended purpose: it can be used to access private networks. This feature in itself could be significant for system IT administrators: a device infected with NotCompatible could potentially be used to gain access to normally protected information or systems, such as those maintained by enterprise or government."

Lookout said the trojan would have to be installed manually by the end-user, fooled by the "update.apk" name.

Display 6 Comments.
This thread is closed for comments
  • 5 Hide
    el33t , May 4, 2012 1:15 PM
    Thanks for the heads-up!! :) 
  • 4 Hide
    Camikazi , May 4, 2012 2:28 PM
    So you are prompted to click on the notification to install an app that started downloading by itself. So basically what you are saying is it is completely the users fault if this gets installed but they will blame Google anyway.
  • 0 Hide
    bigdog44 , May 4, 2012 3:12 PM
    CamikaziSo you are prompted to click on the notification to install an app that started downloading by itself. So basically what you are saying is it is completely the users fault if this gets installed but they will blame Google anyway.


    Most individuals that use tech aren't familiar with how it works. That's why attacks like this can happen in the first
    place. Maybe instead of being negative you could post something helpful with the apparent wealth of knowledge you have on the subject...
  • 0 Hide
    eddieroolz , May 4, 2012 5:04 PM
    Things just keep turning out the way I said it would.
  • 0 Hide
    christarp , May 4, 2012 6:43 PM
    CamikaziSo you are prompted to click on the notification to install an app that started downloading by itself. So basically what you are saying is it is completely the users fault if this gets installed but they will blame Google anyway.


    All viruses are like that. The users fault. Doesn't mean the company that lets them happen isn't at fault. Stop trying to defend google to the death over things like this.
  • 0 Hide
    the_brute , May 5, 2012 12:30 AM
    I dont know what is going on, there were several more posts earler, and I got a Java error again, so please vote this down if its a second post.

    *from earlier*This is where I think WP 8 will kill apple and Android. They have been battling all these security issues for over 15 years and have a large portion of Windows behind it. Apple will get stuck with their pants down, and Android will not be able to push updates to all of its versions fast enough. Mean while Win 8 will be more vonerable right off the bat, but it will be pushing updates like crazy.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter