New version of NotCompatible malware danger
It’s a sign of the increasing prevalence of mobile computing devices that mobile malware is also evolving and becoming more sophisticated. NotCompatible is a piece of Android malware that has been around since 2012; a new version discovered recently has the capacity to infect users and spread to corporate networks.
When first discovered in 2012, NotCompatible used a different (for the time) technique to infect Android devices. It used an injected iframe which then redirected the user to a site that downloaded the malware to the device. The user then received a prompt to install the malware. The prompt was designed to fool the user into thinking they were installing a genuine Android update.
Note that the malware prompted require the user for installation. If the user rejected the install and deleted the file, then the malware was not installed. Early versions of NotCompatible were unsophisticated; communications between the malware and a command and control server were not even encrypted, making the malware’s network traffic easy to distinguish from other network traffic.
The latest version of the NotCompatible malware does encrypt communications with its command and control server. Encrypting communications makes it difficult for software to track network communications and isolate potential threats.
A further feature of the latest version of NotCompatible is the ability of the command and control server to send an infected device a list of other infected devices. This allows an attacker to build botnets utilising any number of infected devices.
NotCompatible does not appear to steal any user information; its main purpose is the building of botnets for spam campaigns. Spam campaigns should not be underestimated; they often presage an attack on an organisation.
In a blog post, Lookout state that “NotCompatible is very likely a rent-a-botnet business that allows anyone to buy access for a variety of activities.” The creators of the malware are effectively running a business, albeit one with malevolent intent.
Many employees now use mobile devices in the workplace; the latest version of NotCompatible has the potential to cause issues with infected devices connecting to a corporate network. The worst case scenario is that attackers are able to access a corporation’s servers and subsequently compromise key IT assets.
The method used to spread the new version varies; spam email is used in many cases. Drive by downloads are also used. There are ways to prevent infection; as sated above, the malware will prompt for installation. Also ensure that system updates are not installed automatically.
Scott Reeves
MailShark
Free anti-spam service
Free email filter service