NotCompatible, an Android malware threat that’s been around for a couple of years, has re-emerged with a fresh variant that sets a new bar for mobile malware sophistication and operational complexity. The command infrastructure and communication now self-protects through redundancy and encryption.
“It’s an earthworm with its tail cut off that regenerates and thrives,” said Tim Strazzere, a researcher at Lookout Software, in a blog.
NotCompatible.C is typically used, like its previous iterations, as a proxy to run spam campaigns or scalp concert tickets, and is responsible for fueling a massive mobile botnet for this purpose. The botnet has roots stretching back to 2012, and is now often available as a botnet-for-rent. However, it is also an example of how mobile malware complexity is advancing and is borrowing technical tactics already seen in PC malware, Strazzere noted, and it could expand to assist in attacks on corporate networks.
NonCompatible was “a compelling threat from the start, marking one of the first times hacked websites were used at a large scale to specifically target and infect mobile devices,” he said. Infected phones were used for the purpose of sending spam SMS messages without the user’s consent.
But, “while NotCompatible.A was relatively simplistic architecturally, NotCompatible.C is a changed beast in terms of the technological concepts it uses to stay alive.”
In fact, NotCompatible.C’s use of encryption and peer-to-peer communication mirror advanced PC threats such as later Conficker.
“Much like later variants of Conficker, these features of NotCompatible.C would make it more difficult to detect and stop at the network level due to the obfuscation of its communications and the interchangeability of its endpoints,” the researcher said.
Traditionally mobile malware operators have not done so much to protect their infrastructure or communications. NotCompatible.C on the other hand has a two-tiered server architecture. Strazzere explained that the gateway command & control (C2) server uses a load-balancing approach, in which infected devices from different IP address regions are filtered and segmented geographically, and only authenticated clients are allowed to connect.
“Not only does this model bring client usage efficiency, our research suggests that it also aids in avoidance of discovery,” he said. “We suspect that the gateway C2 makes it difficult for behavioral analysis systems and researchers to pick up on traffic.”
If an infected device validates with the gateway properly, it will receive a configuration file containing all active operational C2s, which, at last count, comprised more than 10 separate and distinct servers located across Sweden, Poland, Netherlands, the UK and the US.
This capability to allow a client to receive C2 connection orders through any number of clients creates a powerful redundancy in the NotCompatible ecosystem and hardens itself against disruption, he added.
All of this taken together should be a red flag for corporate security. “To date, Lookout has not observed NotCompatible.C being used to target protected networks, though the proxy capability makes it a potential threat as well as a direct risk to network security,” Strazzere said. “As soon as a device carrying NotCompatible.C is brought into an organization on a mobile device, it could provide the operators of this botnet with access to the organization’s network. Using the NotCompatible proxy, an attacker could potentially do anything from enumerating vulnerable hosts inside the network, to exploiting vulnerabilities and search for exposed data.”