As the number of mobile devices connected to the Internet grows, the number of threats to our smartphones, tablets, and other connected devices grows as well. And guess what? Lookout Mobile Security on Tuesday reported that there are now hacked websites targeting Android devices with a new Android Trojan called NotCompatible, an attack vector previously only used to infect PCs with malware.
"In this specific attack, if a user visits a compromised website from an Android device, their Web browser will automatically begin downloading an application—this process is commonly referred to as a drive-by download," the security firm said on its official Lookout blog.
The hacked websites have an hidden iframe, which is a window that brings other content into the target Web site, at the bottom of a page. The iframe causes the browser to pull content from two other malicious websites hosting NotCompatible. If a PC accesses either of those websites, a "not found" error is displayed, Lookout said
"When the suspicious application finishes downloading, the device will display a notification prompting the user to click on the notification to install the downloaded app. In order to actually install the app to a device, it must have the ‘Unknown sources’ setting enabled (this feature is commonly referred to as ‘sideloading’). If the device does not have the unknown sources setting enabled, the installation will be blocked."
"This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy," Lookout said. "This feature in itself could be significant for system IT administrators: a device infected with NotCompatible could potentially be used to gain access to normally protected information or systems, such as those maintained by enterprise or government."
Lookout called the development "the first time hacked websites are being used to specifically target mobile devices." Malware threats to Android phones in the past have largely come via apps.
The security firm said it was still assessing how many sites were infected with the NotCompatible malware but that "there are early indications that the number of affected sites could be numerous." However, compromised websites that are delivering NotCompatible through Android mobile Web browsers appear to be relatively low-traffic sites, Lookout said, and for the time being, "we expect total impact to Android users to be low."
Further research by the Lookout team indicates that NotCompatible works as "a simple TCP relay/proxy while posing as a system update." The company said the malware isn’t currently harming target devices as far as they can tell, but "could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy."
Android device users should be on the lookout for automatic downloads of the NotCompatible application, which is called "Update.apk". Lookout said its own security products protect Android device users against the malware through general protections that are in place to prevent drive-by downloads.
Lookout for Android is PCMag’s Editors’ Choice for Android security, but other high-performing malware detectors include F-Secure Mobile Security 7.6 and McAfee Mobile Security 2.0. All have free versions that include a quick malware scan.