Android Malware Being Pushed in Partial Drive-by Download Attack

During what can only be classified as a partial drive-by download attack, visitors to arriving at a compromised domain using an Android device may be subjected to malware that automatically downloads. However, unlike established drive-by attacks, the malware will require user permission to install.

The attack was initially reported by a user on Reddit, and the malware family involved has been around since late 2011.

“So, I was browsing to my pest company’s website on my phone (HTC Rezound, rooted with BAMF Rom, 2.3.4, sense 3.5) when I went to the link about termites,” Reddit user georgiabiker explained.

“A split second after the page loads, every single time the page loads, a download begins… Does anyone have any ideas about this thing?”

The Redditor enabled Lookout Mobile Security, and was still served the malware. The post caught Lookout’s attention, and their engineers examined the Android Package and determined that it was in fact malicious. They developed detections for it and pushed it to their customers.

As it turns out, the drive-by download – now named NotCompatible – serves as a simple TCP relay / proxy when installed on compromised devices. Served from compromised domains via an embedded IFRAME, the website will examine user agents and serve the APK to Android devices. However, unlike other drive-by attacks, the user (and it won’t matter if their device is rooted or not) will still need to manually install the malicious application.

“If a user visits a compromised website from an Android device, their mobile web browser will automatically begin downloading the NotCompatible application, named ‘Update.apk’… Based on our initial investigation, we’ve confirmed that a number of websites have been compromised. However, affected sites appear to show relatively low traffic and we expect total impact to Android users to be low,” Lookout explained on their blog.

The intended function of NotCompatible isn’t hidden; it’s designed to access private networks. Such an application could cause “significant” problems for network administrators Lookout added, as an infected device could be used to access protected information or systems.

“Don’t install unknown packages on your smartphone, random websites are not likely to provide you with security updates. If you are an Android user even your carrier or phone manufacturer is unlikely to supply you with security fixes, so don’t be fooled,” commented Sophos’ Chester Wisniewski in a blog post.