Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android Malware Being Pushed in Partial Drive-by Download Attack

During what can only be classified as a partial drive-by download attack, visitors to arriving at a compromised domain using an Android device may be subjected to malware that automatically downloads. However, unlike established drive-by attacks, the malware will require user permission to install.

The attack was initially reported by a user on Reddit, and the malware family involved has been around since late 2011.

During what can only be classified as a partial drive-by download attack, visitors to arriving at a compromised domain using an Android device may be subjected to malware that automatically downloads. However, unlike established drive-by attacks, the malware will require user permission to install.

The attack was initially reported by a user on Reddit, and the malware family involved has been around since late 2011.

“So, I was browsing to my pest company’s website on my phone (HTC Rezound, rooted with BAMF Rom, 2.3.4, sense 3.5) when I went to the link about termites,” Reddit user georgiabiker explained.

“A split second after the page loads, every single time the page loads, a download begins… Does anyone have any ideas about this thing?”

The Redditor enabled Lookout Mobile Security, and was still served the malware. The post caught Lookout’s attention, and their engineers examined the Android Package and determined that it was in fact malicious. They developed detections for it and pushed it to their customers.

As it turns out, the drive-by download – now named NotCompatible – serves as a simple TCP relay / proxy when installed on compromised devices. Served from compromised domains via an embedded IFRAME, the website will examine user agents and serve the APK to Android devices. However, unlike other drive-by attacks, the user (and it won’t matter if their device is rooted or not) will still need to manually install the malicious application.

“If a user visits a compromised website from an Android device, their mobile web browser will automatically begin downloading the NotCompatible application, named ‘Update.apk’… Based on our initial investigation, we’ve confirmed that a number of websites have been compromised. However, affected sites appear to show relatively low traffic and we expect total impact to Android users to be low,” Lookout explained on their blog.

The intended function of NotCompatible isn’t hidden; it’s designed to access private networks. Such an application could cause “significant” problems for network administrators Lookout added, as an infected device could be used to access protected information or systems.

Advertisement. Scroll to continue reading.

“Don’t install unknown packages on your smartphone, random websites are not likely to provide you with security updates. If you are an Android user even your carrier or phone manufacturer is unlikely to supply you with security fixes, so don’t be fooled,” commented Sophos’ Chester Wisniewski in a blog post.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.