Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android Malware Being Pushed in Partial Drive-by Download Attack

During what can only be classified as a partial drive-by download attack, visitors to arriving at a compromised domain using an Android device may be subjected to malware that automatically downloads. However, unlike established drive-by attacks, the malware will require user permission to install.

The attack was initially reported by a user on Reddit, and the malware family involved has been around since late 2011.

During what can only be classified as a partial drive-by download attack, visitors to arriving at a compromised domain using an Android device may be subjected to malware that automatically downloads. However, unlike established drive-by attacks, the malware will require user permission to install.

The attack was initially reported by a user on Reddit, and the malware family involved has been around since late 2011.

“So, I was browsing to my pest company’s website on my phone (HTC Rezound, rooted with BAMF Rom, 2.3.4, sense 3.5) when I went to the link about termites,” Reddit user georgiabiker explained.

“A split second after the page loads, every single time the page loads, a download begins… Does anyone have any ideas about this thing?”

The Redditor enabled Lookout Mobile Security, and was still served the malware. The post caught Lookout’s attention, and their engineers examined the Android Package and determined that it was in fact malicious. They developed detections for it and pushed it to their customers.

As it turns out, the drive-by download – now named NotCompatible – serves as a simple TCP relay / proxy when installed on compromised devices. Served from compromised domains via an embedded IFRAME, the website will examine user agents and serve the APK to Android devices. However, unlike other drive-by attacks, the user (and it won’t matter if their device is rooted or not) will still need to manually install the malicious application.

“If a user visits a compromised website from an Android device, their mobile web browser will automatically begin downloading the NotCompatible application, named ‘Update.apk’… Based on our initial investigation, we’ve confirmed that a number of websites have been compromised. However, affected sites appear to show relatively low traffic and we expect total impact to Android users to be low,” Lookout explained on their blog.

Advertisement. Scroll to continue reading.

The intended function of NotCompatible isn’t hidden; it’s designed to access private networks. Such an application could cause “significant” problems for network administrators Lookout added, as an infected device could be used to access protected information or systems.

“Don’t install unknown packages on your smartphone, random websites are not likely to provide you with security updates. If you are an Android user even your carrier or phone manufacturer is unlikely to supply you with security fixes, so don’t be fooled,” commented Sophos’ Chester Wisniewski in a blog post.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.