Still NotCompatible: Android trojan takes fresh tack with spear-phishing

Worse, it’s back in almost epidemic form: during a five-day period last week, security firm Lookout saw more than 70,000 detections, 95 percent of them affecting US-based users.

NotCompatible was first uncovered by Lookout Security in May 2012, and was identified as a remote proxy malware threat distributed by hacked websites. Once downloaded, the malware owner could take over the phone to purchase goods or carry out other transactions, mostly fraud-related. In the previous infection wave, the trojan mainly used infected phones to purchase concert tickets, unbeknownst to the user.

“Since the initial detection, we’ve continued to actively monitor NotCompatible, and it showed relatively low activity levels with occasional moderate spikes,” wrote Lookout researcher Tim Strazzere, in a blog.

But that’s all changed over the past several days, with a sudden surge in detection data across Lookout’s Mobile Threat Network, peaking at almost 20,000 detections per day.

One reason for that is a change-up of strategy. NotCompatible is now using email spear-phishing spam to distribute and infect Android devices. Once installed, NotCompatible turns the phone into a proxy to commit online fraud, as demonstrated in this YouTube video.

The malware is notable in the annals of Android cyber-issues. NonCompatible represents “the first time the industry saw hacked websites being used to specifically target mobile devices rather than PC devices,” explained Strazzere.

The original distribution campaigns for NotCompatible specifically targeted Android users by only triggering a download for browsers that reported a user-agent header that contains the word “Android.” Lookout found that the new spam links perform a similar targeting tactic. Clicking a spammed link in a browser on Windows, iOS or OSX directs to a fake Fox News weight loss article. But when clicking the link on an Android device, the browser is redirected to an “Android Security site” for an update.

Depending on the user’s Android OS Version and browser, the person may be prompted by a dialog box and therefore alerted to the download. “Many stock browsers will transparently trigger a download to the device downloads folder, whereas Chrome displays a confirmation dialog,” Strazzere said.

In terms of consumer protection, as ever, it comes down to user awareness. Unexpected emails from long-lost friends with generic titles such as “Hot News” or “Last all Night” or “You Won $1,000” are normally good indications that an email is spam.

“To stay safe, be wary of any emails that have the subject line ‘Hot News’,” noted Strazzere. “Just as if you're on your PC, use common sense when clicking on links from your phone. If your mobile device unexpectedly starts downloading a file that you weren’t expecting, don’t click, delete it.”

What’s Hot on Infosecurity Magazine?