Connect with us

Hi, what are you looking for?


Mobile & Wireless

Advanced Variant of “NotCompatible” Android Malware a Threat to Enterprises

Mobile security firm Lookout has been monitoring the evolution of the Android Trojan dubbed “NotCompatible”, and they say the latest version of the malware is sophisticated enough to pose a threat to protected enterprise networks.

Mobile security firm Lookout has been monitoring the evolution of the Android Trojan dubbed “NotCompatible”, and they say the latest version of the malware is sophisticated enough to pose a threat to protected enterprise networks.

NotCompatible.A, which researchers discovered in 2012, acted as a proxy on infected devices, but it didn’t cause any direct damage. The mobile malware’s authors did not use a complex command and control (C&C) architecture and communications were not encrypted, making it easy for security solutions to detect its activities.

New features in NotCompatible.C

The latest version of the threat, NotCompatible.C, is far more complex. According to Lookout, the authors have made it more difficult to detect and resilient to takedowns by implementing features usually found in mature PC-based malware.

NotCompatible Android MalwareNotCompatible.C uses peer-to-peer (P2P) communications between infected devices, which makes it resilient to IP and DNS blocking, and it relies on multiple C&C servers that are geographically distributed, which enables the malware to function properly even if law enforcement authorities manage to shut down individual servers.

The malware’s authors have also started encrypting all C&C and proxied traffic, making it difficult for network security solutions to identify the malicious traffic. Furthermore, public key cryptography is used for mutual authentication between C&C servers and clients.

In an effort to protect their infrastructure, the cybercriminals use a gateway C&C to analyze incoming connections, and block those that come from IP addresses that are not trusted.

NotCompatible.C distribution and use

Advertisement. Scroll to continue reading.

NotCompatible.C is distributed through spam campaigns and compromised websites. The attackers are not leveraging any exploits, but instead rely on social engineering to trick potential victims into installing the threat on their mobile devicese. One of the distribution campaigns observed by Lookout used the classic “security update” ruse.

According to the security firm, the cybercriminals have acquired compromised websites and accounts in bulk. In one of the spam runs seen by researchers, only Yahoo accounts had been used. In a different campaign, the attackers used only compromised AOL accounts.

These techniques have been successful. Lookout says its solutions have blocked hundreds of thousands of infection attempts in the United States and other countries around the world. In the U.S. for instance, NotCompatible reached encounter rates of more than 1% at its peak, researchers noted.

Experts believe the malicious actors behind NotCompatible have adopted a rent-a-botnet business model, and are either providing access to their botnet to other cybercriminals, or they are a multi-faceted group. The botnet has been leveraged for spam campaigns (weight loss), for bulk ticket purchasing (Craigslist, Ticketmaster, StubHub), brute-force attacks against WordPress website administration panels, and c99 shell control (logging into shells and performing various actions).

Attacks against protected networks

 Lookout says it has not seen NotCompatible.C being used in attacks targeted at corporate networks. However, the company has detected hundreds of networks with devices that have encountered the malware.

NotCompatible Trojan Attack Vector


“As soon as a device carrying NotCompatible.C is brought into an organization on a mobile device, it could provide the operators of this botnet with access to the organization’s network. Using the NotCompatible proxy, an attacker could potentially do anything from enumerating vulnerable hosts inside the network, to exploiting vulnerabilities and search for exposed data,” Lookout researchers explained in a blog post.

NotCompatible is a great tool for targeting corporate networks because it’s difficult to detect and block by network-based security systems. Its traffic is encrypted to avoid raising any red flags, and P2P communications enable the malware to function even if organizations block known C&C servers at network layer, Lookout said.

“As a mobile botnet with widespread distribution and proxy capabilities, the potential use of NotCompatible.C as a gateway to attack protected networks and systems is not only plausible, but a likely outcome,” experts warned.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.